There is nothing like the first few weeks of being a parent. The unimaginable joy, the smiling faces of friends and family… (Oh who am I kidding?) The unrelenting exhaustion, the piles of dirty dishes and take-out boxes…
It was in these early weeks I vividly remember laying my daughter down and praying to the universe that she would actually give me two uninterrupted hours to work through a pile of unopened mail that I discovered a bombshell: a letter from Premera notifying my weeks-old daughter that her information had already been stolen.
I’ve found myself revisiting these moments in the wake of the ever-continuing torrent of data breaches which culminated in the tsunami that was the Equifax breach.
Is this the new normal?
If my daughter’s data can be stolen in the first 0.1% of her expected lifespan, what is the point of protecting data at all?
We are rapidly entering an era in which it probably makes sense to assume your data has already been stolen and just work to protect it.
The most common advice I’ve heard is to set up a so-called “credit freeze” in which you must “unlock” your credit if you wish to take out a new credit line. Problem solved! Right…?
As top security journalist Brian Krebs explains, “Crooks and identity thieves broadly have access to the data needed to reliably answer (freeze) questions on most consumers. That is why this offering from Experian completely undermines the entire point of placing a freeze.”
It should be noted that Krebs is a strong advocate of placing a credit freeze, but it is far from the magic bullet some are portraying it to be. Furthermore, you are required to place a credit freeze individually with all the major credit bureaus.
So what else can you do?
As any good security professional will tell you, there are three key types of security control: preventive, detective, and corrective.
Our initial instinct is always to go to the first type of control: preventive. Keep the bad thing from happening. A credit freeze is part of that line of thinking.
The second type of control, detective, focuses on making sure you know something bad has happened. The most effective detective control is to put a fraud alert on your credit. This means that before a business issues credit to you, they must contact you directly to ensure you are the person requesting it.
Sounds great, right? Unfortunately, you must manually request that the fraud alert is maintained every ninety days.
Additionally, there is another cottage industry of services like “LifeLock” who offer monthly credit reports and a promise to watch your credit for you. At this point, odds are that you are eligible for some free services due to a breach, but this isn’t perfect either:
You typically aren’t notified of a new account for at least a month, after which time the damage is already done.
The final area of controls, corrective, strive to fix the problem after something bad has happened. In these instances, they are typically given in conjunction with services like “LifeLock” in which you are promised legal aid and insurance if your identity is stolen. The catch here is that most services cover only your legal fees, not your actual damages. Meaning that if someone buys a house in your name, they’ll cover the lawyers to fight the case, but not any ensuing damages.
So is a combination of all three the answer? Unfortunately, no. Everything we’ve talked about will only stop someone from opening an account or credit line in your name. It does nothing to stop someone from collecting social security benefits under your name, dumping your 401K, or (SPOILER ALERT TO TOP STORY IN APRIL OF 2018) filing a fraudulent tax return on your behalf.
If you aren’t feeling hopeless by now, you are doing better than I am.
The best hope we all have is a massive overhaul of how credit reporting is performed. Consider this: credit card companies are constantly improving their ability to detect, prevent, and correct fraud because they have skin in the game. The credit reporting agencies don’t seem to have this interest because they answer only to their real customer (banks) and not the average consumer.
If we could make credit agencies own the fraud much like credit card companies do, maybe there is a chance something will get better.
In addition, if credit agencies would allow no-cost, permanent fraud alerts to be put in place, consumers would have more control over how their credit is issued. Unfortunately, it will likely take legislative action to get this to happen.
In the meantime, I’ll start putting fraud alerts and freezes on my daughter’s credit and hoping for the best…