Identity Theft How to Protect Your Name (18 page)

C H A P T E R 7

in the industry. We do not believe these principles provide sufficient safeguards for consumers.

IRSG companies gather and sell Social Security numbers. Social Security numbers are collected from a variety of public and nonpublic sources. Public documents such as bankruptcy filings and other types of court records often contain Social Security numbers of the parties to a proceeding. Nonpublic documents such as credit headers, the identifying information at the top of credit reports (including names, addresses, ages and SSNs), are also culled for information.

Rotenberg also pointed out that, in 1997, the IRSG

had worked with the FTC—but without any public input—to develop a set of self-regulatory principles.

These self-regulatory principles allowed for the sale of SSNs without the knowledge or permission of the people to whom the numbers refer.

Under the IRSG principles, companies can freely sell and distribute
SSNs gathered from public records
.

The IRSG Principles treat SSNs differently if they come from nonpublic sources—such as other credit bureaus. However, the guidelines for the sale of SSNs from nonpublic sources are completely subjective and largely ignore the privacy interests of the people involved.

The IRSG principles create a multi-tier system for the sale of information gathered from nonpublic sources.

The first tier for the sale of SSNs applies to “qualified subscribers”; complete SSNs can be sold to those deemed to fall into this category. But there’s no defi-1 6 7

B A N K S A N D C R E D I T B U R E A U S

nition of what makes someone a “qualified subscriber.” Moreover, the conditions that qualified subscribers must meet under the IRSG principles rely entirely on the determination of the data seller and the data purchaser on what is an “appropriate” use of such information. The person whose SSN is being sold has no input into whether the use is “appropriate.”

Rotenberg went on to describe IRSG self-regulation: Oversight of IRSG companies is generally weak. Yearly assessments required by the IRSG Principles, are conducted by “reasonably qualified independent professional” services. The assessment criteria, in many places, simply ask whether IRSG companies have some process in place, rather than evaluating whether such a process is effective. The assessment criteria do not seek to evaluate whether such qualifications are stringent enough or even if they are evenly applied among different IRSG companies. In addition, none of the results of assessments are publicly displayed.

Rotenberg’s group suggested that Congress enact legislation that would: •

limit the use of the SSN to those circumstances where use is explicitly authorized by law; •

prohibit the sale
and limit the display of the SSN by government agencies; •

prevent companies from compelling consumers to disclose their SSN as a con-1 6 8

C H A P T E R 7

dition of service or sale unless there is a statutory basis for the request; •

penalize the fraudulent use of another person’s SSN but not the use of an SSN

that is not associated with an actual individual. This would permit, for example, a person to provide a number such as “123-00-6789” where there is no intent to commit fraud; and •

encourage the
development of alternative, less intrusive means of identification
.

P R I V A C Y N O T I C E S

We started this chapter by discussing the Gramm-Leach-Bliley Act of 1999 and its effect on consolidation in the financial services industry. But the GLB

Act also included a number of consumer-protection measures which—if used correctly—can be of real help in combatting ID theft.

The GLB Act requires organizations that gather personal information from customers to
mail notices
each year
explaining how the groups use the information. It applies to a wide variety of operations, including obvious ones like banks and credit card issuers. But it also applies to less-obvious ones—insurers, automobile dealerships that arrange financing or leasing and financial advisers and consumer counsel-ing agencies.

Each must report to its clients—whether it sells the information or gives it to other organizations—and
1 6 9

B A N K S A N D C R E D I T B U R E A U S

explain
how consumers can opt out
of having at least some of their information distributed. These written notices must clearly describe the institution’s practices and policies about collecting and sharing “nonpublic personal information.” For example, a typical disclosure might explain that your bank shares information about your account balance, payment history and credit card purchases with non-financial companies, such as retailers, direct marketers and pub-lishers.

A critical provision of the law gives consumers the right to
block an institution’s disclosure
of private information to companies not affiliated with that institution. Under the rules, even people who are not technically customers of a financial institution—such as former customers or people who applied for but didn’t obtain a loan or credit card—will have the right to opt out of information sharing with outside companies.

Note that only
some
of the information releases can be blocked.

C O N C L U S I O N

In the interest of keeping commerce moving and allowing institutions to know who they do business with, the GLB allows them to share certain information.

This includes information about customer accounts to organizations that promote the company and its products. It includes information provided in response to a court order. It also includes
payment histories
on loans and credit cards provided to credit bureaus.

Finally, it includes
transaction records
—including
1 7 0

C H A P T E R 7

loan payments, credit card purchases and checking and savings account statements—to organizations that provide its data processing and mailing services.

The rules were issued jointly by the FDIC, the Office of the Comptroller of the Currency, the Federal Reserve Board and the Office of Thrift Supervision.

The National Credit Union Administration, the FTC

and the Securities and Exchange Commission have comparable rules for the institutions and companies they regulate that provide financial products or services. Under the FTC’s rule, for example, credit bureaus are
limited in their ability
to sell nonpublic personal information to third parties such as direct mail and telemarketing companies.

More detailed information about the mailings and what to do about them is available on the FTC Web site at
www.ftc.gov
. A copy of the FTC’s
sample opt-out letter
that consumers can send to credit bureaus to prevent some distribution of their data is included there.

The ability to opt out of marketing mailings—like the ability to opt out of direct marketing phone calls, also administered by the FTC—is an essential part of fighting ID theft.

Until regulations restrict the credit bureaus’ and other financial institutions’ active marketing of personal information, opting out is the best option you have.

1 7 1

B A N K S A N D C R E D I T B U R E A U S

1 7 2

C H A P T E R 8

8

Due to the nature of identity theft (how easy it is to commit when no one is looking), preventing identity theft
starts with the consumer
. Even when law enforcement agencies catch up to addressing the problem, it will still be up to you to prevent the majority of the crimes.

Because ID thieves are opportunistic, some basic
preventive measures can do a lot to dissuade. Prevention starts with deterrence, much like using an
alarm or The Club on your car. Either of these anti-theft devices can be surpassed, but real deterrence
comes from making your car a little tougher to
steal…so that the thief will move on to the next one.

The world is too large, transactions are too quick and easy to make, and the volume of information passed back and forth is too dense for anyone to prevent all ID theft. Accept ID theft as a negative
byproduct
of our modern technology
—like spam, computer
173

P R E V E N T I O N

viruses and other nuisances that get traded when you
swap security for convenience
.

There are two other big burdens you must come to accept:

1)

It’s up to you to safeguard your personal information; and 2)

It’s up to you to report any illegal activity to the proper authorities and agencies.

Unfortunately, no one is going to call you the minute someone starts opening accounts or making large purchases in your name.

No one is going to save your reputation and credit history when it runs amok and requires time, money and energy to repair it. No one can afford to have the “It can’t happen to me” mentality. We’ve seen how anyone’s identity can get stolen and grossly misused.

In this chapter, we’ll outline the only way to avoid the hassle of losing your identity:
prevention
.

None of these preventive tactics guarantees that you won’t become a victim of identity theft. But they will lower your overall risk—especially when used together.

The more locks you have on your doors, the less of a
chance a burglar will come into your home and steal
from you. Likewise, when it comes to ID theft, the
goal is to lessen the number of opportunities a potential thief has to impersonate you.

174

C H A P T E R 8

Y O U R S O C I A L S E C U R I T Y C A R D

We’ve already seen how vital it is to
protect your
Social Security card
. Are you still schlepping it around in your wallet or purse? It’s time to take an inventory of your Social Security numbers lying around and eliminate all chances for its disclosure.

Remove it from your wallet (if it’s still in there) and keep it in a safe place at home, such as a fireproof box where you keep other important documents.

Don’t write your number on a slip of paper to be kept in your wallet, either. If you haven’t done so by now,
memorize your Social Security number
and avoid all extra recordings of it.

As many jurisdictions and counties go online and
attempt to post public records online, you must
worry about records that contain your SSN.

Records have always been available for the public to view on microfilm rolls at the courthouse, but some new laws make those records even more accessible online. Title companies can research deeds from their office computers; and homeowners can look into a lien or judgment without going to the courthouse.

Public
access to electronic records
will continue to broaden. It’s up to you to know what public records contain information about you, and whether those documents can get into anyone’s hands. Many counties are not diligent in
separating public from confidential
documents in their computer databases. Until
175

P R E V E N T I O N

courts adopt policies that comply with the rules, there’s no telling what will end up on the Internet.

If you’ve ever bought or sold a piece of property,
served in the military or been involved in a court
judgment, a valuable piece of your identity could
soon find its way onto the Internet: Your Social Security number. Voter registration cards and marriage certificates can also contain such information.

You can’t prevent local courts from posting information. But you can check these postings online for any references to you. And—since most courts honor requests to edit or obscure personal details—you can ask them to cut out your detailed information. (This cutting is sometimes called redicting.) Never provide your SSN, or any other personal information for that matter, when it’s not necessary.

Product manufacturers don’t need to know your oc-cupation. The health club does not need your SSN.

Only the
government or a lender
should be asking for Social Security numbers. Never have your Social Security number printed on your checks—you can write it in if necessary
California state law now says Social Security numbers may not be openly displayed on things like
health forms, bank account records or anything sent
in the mail. Other states are following this lead.

176

C H A P T E R 8

Many people have been duped by swindlers who pretend to be from the IRS. When someone claims to work for the Internal Revenue Service and starts firing sensitive questions at you, do a little homework before answering. Be
wary of first-time calls
or surprise visits from someone you’ve never heard from before. If the IRS needs to conduct business with you (e.g., you’ve underpaid in taxes), you should receive a letter from the IRS before hearing directly from an agent.

In some cases, IRS criminal investigators may show up without prior warning, or they may try contacting you without having sent a letter first, but you can as-certain their legitimacy by asking for the
employee’s
name, badge number and supervisor’s name
. If they’re legitimate, they shouldn’t mind your calling their office to verify their identity. And, they won’t be asking for your SSN—they’ll already have it.

Best way to handle an alleged IRS agent: Pass the
trouble on to a tax adviser, such as a lawyer, ac-countant or “enrolled agent,” a tax professional
licensed to represent you at the IRS. If you’re still not
satisfied by the investigator’s credentials, or have
some reasonable basis for your suspicions, call
(800) 366-4484. Or write to: Treasury Inspector General for Tax Administration, PO Box 589, Ben Franklin
Station, Washington D.C. 20044-0589. TIGTA says
the information you provide is kept confidential,
and you may remain anonymous.