Rossander’s Security Reader

Under Federal Trade Commission regulation, any information about an individual that is derived from a consumer report or is a compilation of such records must be properly destroyed. These days, almost all of customer information has some connection to a consumer report and is covered under this regulation (scroll to pg 32).

The regulation does not actually require shredding but for most of us, that is the only cost-effective way to comply with the regulation’s requirements for destruction. Papers in regular trash are exposed to the public and any private information on those papers can be misused by an identity thief. It can cost your customers thousands of dollars to get their identity back and could be considered a violation of federal privacy laws.

I strongly recommend a "shred all paper" policy for your office because there is too much risk that a piece of personal information will be overlooked on the back side of a form or that the page was used for scratch paper while you were on the phone. It’s also easier to enforce the policy when you have a simple rule like "No office paper may be thrown away in the regular trash."

Very small offices can get away with a personal shredder. If you’ve got more than about 10 or 15 people in the office, it’s probably more cost-effective to contract with a reputable shredding vendor who will pick up and properly dispose of your paper waste. Most of the shredding vendors will provide locked bins where the paper waste can be stored until pickup. Have enough bins to be convenient for staff.

Online privacy is hard to achieve – and impossible when you don’t think about it enough ahead of time. Anyone can see just about anything you ever wrote online. That includes webpages, blogs, discussion forums, social sites and email. Recruiters routinely check these sources before making hiring decisions. They are also increasingly popular with investigators. Anyone wanting to look into your background can find a wealth of information online.

There is little true anonymity on the internet. Some sites use passwords to limit the number of people who can access information but passwords are routinely compromised. Other sites allow you to use a pseudonym rather than edit under your real name. With a little bit of work (sometimes very little work), almost everything you wrote can be traced back to you.

Many believe that the vastness of the internet protects them. With millions of pages created every day, how would a hacker ever find my little blog or my email where I admit to some personal detail? In a paper-world, correlating all those sources was impossible. Now, we have powerful search engines and intelligent programs that can match details across multiple pages. They are incredible research tools and make the internet far more useful to all of us but they also can be used to create astonishingly complete profiles of you and your family.

None of it really goes away, either. Even if you removed the webpage, deleted your MySpace account and purged all your email, cached versions may still exist scattered all over the internet. Think twice about what you write and how you write it. Once you post something, you must forever live with the consequences.

When posting online, always assume that someone who you can’t even guess at today will find and use the information. If you want the information to be private or restricted to a small group of people, the internet is probably not the best way to communicate. Remember too that even if you’ve never published anything online, you probably have a nephew or distant cousin who is working on a family history and including details about your life. Keeping your private details private takes work and vigilance.

If you live in Ohio, by now you’ve heard about the loss of the computer backup tape. You may even have received a notice from the state that your information was on the lost tape. By some estimates, the information from as many as one in six Ohio taxpayers was on the tape in one form or another.

On 10 June, the tape was stolen from a state employee’s car. The employee had the tape off-site as part of their regular backup procedures to ensure that they would be able to restore their computer systems if something happened to their data center. By all accounts, the information was stored on the tape in a proprietary format that would be very difficult for any outsider to read or interpret. If you’ve received one of these notices, the probability that your information will be misused is extremely low. You are at far greater risk of identity theft from a family member or friend than from an anonymous crime of opportunity.

If you have received such a notice, you do have a few choices. First, verify that the notice is legitimate. The first round of notices went out from the Ohio Department of Taxation. The second round came from the Ohio Department of Administrative Services. There are unconfirmed reports of fake notices but you can confirm the real notice by going to the state’s official site at www.ohio.gov/idprotect/. Don’t respond to any telephone call or email on this topic. The state is contacting individuals only by mail.

Second, I strongly recommend that you check your credit report regardless of whether you’ve received a notice or not. You are entitled to a free copy of your credit report every 12 months. Look for accounts that you didn’t open. If you find something suspicious, follow the dispute-resolution procedures included with the credit report. Consider checking just one of the three major agencies right now, the next in 4 months and the last in 8 months. That gives pretty good coverage at three times the frequency.

Third, watch your existing accounts carefully. Check for unauthorized charges or withdrawals and watch out for missing monthly statements or bills. Hackers often file a change-of-address to keep you from noticing the abuse. Call your financial institution if you see anything suspicious.

Fourth, think about the identity theft service offered by the state. The state has contracted with Debix to put a fraud alert on your credit report if you sign up with them. You can do the same thing in a few minutes by calling or mailing the fraud department of the credit bureaus. They also offer some other services, but again, nothing that you can’t do for yourself (and have probably already done if you’ve been reading our Tips regularly). Personally, I will not be giving yet another copy of all my personal information to a state-contracted agency when I can do it so easily myself. Note: the fraud alerts expire every three months. Don’t forget to renew. And remember that while most creditors will check before opening a new account, they are not required by law to do so. A fraud alert does not replace checking your credit report regularly.

On the other hand, if you don’t think that you’ll remember to check your credit report regularly, a service like Debix can be useful.

If you received the notice for your company (rather than about your personal information), there is nothing special that you need to do. It is much harder to abuse a corporate tax ID number than it is to abuse a SSN. Your organization’s normal fraud-control procedures are probably sufficient to protect the company.

You should also learn from the state’s example. Protect your company from a similar breach by reviewing and updating your data backup procedures. Make sure that the off-site backups are kept well protected and are encrypted if at all possible.

Despite all the media hype about hackers, security breaches and lost laptops, research shows that just over half of all identity theft is committed by someone close to the victim – a family member or close friend. Recent research also indicates that 55% of all identity theft is committed based on paper documents. As a company, we have to be worried about the attacks against our systems. As an individual, the statistics say that you should be more worried about Uncle Joe or Grandma picking up the credit card statement from your kitchen table.

Unfortunately, if you discover family-related identity theft, there are few good solutions. Most of the legal protections that you have as an identity theft victim will require that you file a police report. The police report could lead to prosecution and even jail time for the offending family member. Few families are ready for the emotional difficulties of prosecuting the case.

Occasionally, a lender will let the victim off the hook without a police report if the thief admits to the deed and commits to making payments and has the means to do so, according to Linda Foley of the Identity Theft Resource Center. The family typically needs to hire a lawyer to conduct the necessary negotiations and to draw up the paperwork.

If you live in a “credit freeze” state (OH is not one yet), you can at least stop further abuse of your identity by putting a freeze on your account and on the accounts of the rest of your family. Freezing your account may not require a police report. Check your state laws for more.

Prevent identity theft in the first place by buying a shredder, locking up or filing bills and statements with personal information and checking your credit report regularly. You can request your own credit report online for free every 12 months. Don’t forget to check your family members’ credit reports at the same time. Children and dependent elders remain high priority targets for identity thieves. (Note: Requests for the credit report of a minor under age 13 must be submitted in writing on this form and with the identifying documents listed here.)

Credit Report reminder: For those of us on the “trimester plan” for reviewing our credit reports, it’s time to ask from for your free copy of your credit report from the next agency.

This is your annual reminder to request your credit report. Under the Fair and Accurate Credit Transactions Act (FACTA), every consumer is eligible for a free copy of his/her credit report every 12 months. Follow the instructions at www.annualcreditreport.com to request your credit report from each of the three major credit reporting agencies.

When reviewing the credit reports, look for:

• adverse actions on your accounts that might indicate that you have been a victim of identity theft
• accounts that have been opened in your name without your knowledge. Even if the identity thief is making the payments regularly, the account could still be in use for illegal activities.

If you find a discrepancy, follow the specific instructions on the website to dispute any incorrect information.

Don’t forget to check the credit reports of your immediate family members, especially minor children and dependent elders. Both of those groups are at elevated risk of identity theft.

Remember that you are also eligible for a report every 12 months from any of the specialty agencies which have information about you.

If you want more frequent feedback on your credit history, consider asking for your free copy from only one of the major credit reporting agencies at a time. Space the requests for the other two agencies out every four months. For example, you could ask for your free copy from Experian in March, your free copy from TransUnion in July and your free copy from Equifax in November. Once you start, you will have to keep the same rotating pattern. Schedule the requests on your calendar.