We commissioned a national poll last month which found that nearly 40 percent of Americans believe "identity theft is not a serious problem." In fact, they said they thought that it's "a marketing tool or scare tactic for companies selling credit monitoring or ID theft protection." When we saw these results, we were aghast. How is it that people really feel this way? Then I read the January issue of Consumer Reports and I had my answer... at least I was closer to it. They claimed the threat of identity theft was "exaggerated," advising consumers to avoid identity theft protection services. "Do it yourself for less," they said.
Consumer Reports is an organization I admire and often look to for guidance, but this time they were wrong, and frankly their advice is dangerous.
Identity theft is like a natural disaster. Remember Superstorm Sandy? New York Governor Andrew Cuomo and New Jersey Governor Chris Christie repeated the directions over and over again: fill your bathtub with water and stock up on food, first aid supplies and gasoline. When the storm ended, the gas lines stretched for miles. Tempers flared, lines were cut, and guns were drawn.
Three months after Sandy devastated the Northeast, Nemo sent folks flocking to gas stations. Mayor Michael Bloomberg called a press conference to say that a gas shortage was not imminent this time, and urged people to go home. Whereas people were unprepared the first time, this time many overreacted.
When it comes to identity theft, many Americans are just as unprepared as they were for Superstorm Sandy, and I fear that they won't wake up to the danger until after a crisis has hit.
The Federal Trade Commission recently reported that the number of identity theft complaints surged 32 percent to nearly 370,000 last year. The actual number of victims in 2012 is more than 12.6 million, according to a report by Javelin Strategy & Research. And that's only what we know about.
These numbers don't adequately convey the true magnitude of the threat. Since 2006, more than 600 million consumer records have been improperly accessed and exposed to identity theft. Breached databases come in every stripe, every size, both public and private, even major media outlets are not immune. The purloined data has been sold and resold, and even published on public websites for all to see -- and many to exploit for profit, guilty pleasure, or to advance their political or ideological agendas.
The targets are household names, diverse and juicy: LinkedIn, Twitter, Evernote, Epsilon, Heartland Payment Systems, the Sony PlayStation Network; RSA, (a company whose sophisticated authentication systems are used by governments and corporations worldwide), defense contractor Lockheed Martin, Bank of America, Wells Fargo, JP Morgan Chase, the Georgia Department of Revenue, the New York Times, the Wall Street Journal, various federal agencies and so on and so on and so on.
Just last week we learned that First Lady Michelle Obama's credit report, along with the intimate financial details of some of the biggest celebrities in the world, had been posted on a website which is hosted offshore.
Your information is out there, via breaches and daily life -- whether that means Facebook posts, geo-tagged photographs, online quizzes, phishing emails, open WiFi connections, answering the wrong phone call, responding to the wrong text, or the countless mistakes we all make in moments of distraction. And identity theft is the crime that keeps on giving.
Some thieves specialize in stealing the identities of infants and children, knowing it could be more than a decade before their victims begin applying for credit and discover the crime - their financial lives ruined before they've even begun. Others cobble together names, addresses, Social Security numbers and dates of birth from different people, creating bionic identities that minimize their risk of apprehension and prosecution as they spread the damage of their frauds to multiple victims.
More and more criminals are committing crimes using stolen identities, effectively turning victims into human shields. And, in the case of medical identity theft, fraudsters use stolen identities to gain access to medical products and services, potentially exhausting insurance coverage, causing denial of treatment and/or resulting in commingled medical records where allergies disappear, blood types change, and lives are endangered.
My point is that these risks are very real. Identity theft continues to morph and evolve in complexity and gains even greater traction with more organized criminal enterprises as their crime of choice.
So you can imagine my frustration when I read the article in Consumer Reports.
While the story contains a few kernels of truth, the message is dead wrong. I don't dispute the fact that many identity theft service providers are expensive and offer some features that consumers can do themselves for free or find elsewhere for far less. Several operate on a "breakage model," which couples relatively high monthly fees with the promise that consumers can cancel at any time. These companies run aggressive marketing campaigns that constantly bring new customers in the front door to replace those they lose through the back.
A significant percentage of their customers do drop out after a few months of "all clear." They interpret that to mean they're not in danger and are paying for something they don't need. They don't view it like AAA, which is something you may not necessarily use, but are comforted by knowing you have. Many of these programs are heavy on various types of monitoring, which oftentimes does not detect more virulent forms of identity theft, yet light on education and high-touch resolution services for victims who are in way over their heads.
Some identity theft protection companies have had their share of lawsuits in recent years, and Consumer Reports is right to raise the warning flag. That said, there is far more to the story; and assertions that the threat of identity theft is "exaggerated," serious cases of identity theft are the exception, and you can do most monitoring and resolution yourself are far too simplistic.
Let's say someone hijacks your name, Social Security number, bank account and credit cards and they buy houses in Texas and cars in Connecticut using your information, your credit and your money. While it's entirely possible you could resolve it on your own, forget about working a full-time job or tending to your family.
The process of figuring out the damage, clearing your name and restoring your credit is often a full time job. The credit, billing and data industries have grown so complex that hunting down all the third-party vendors, data aggregators, niche credit bureaus, medical offices and law enforcement agencies that prejudge you a deadbeat, or a criminal, and convincing them to wipe the slate clean can easily take several months (if you're lucky). And, there's no guarantee that when you believe your work is done, the problem doesn't resurface a year or two down the road because your information was sold and resold multiple times on the black market.
This leads me to the second thing that Consumer Reports got only half right: They say identity theft protection is too expensive, noting that paid services can often "cost $120 to $300 annually." That may be true, but that's not the end of the story.
There are other more affordable options. It's even possible you may already have identity theft protection. Check with your insurance agent, bank, credit union or the HR Department where you work. Ask if you are already enrolled in, or have access to a program that provides education, pro-active assistance and damage control if you become a victim. You may be pleasantly surprised. It might even be free, or available to you at minimal cost -- sometimes as little as $15 a year. Many others provide access for less than $50 a year.
Full disclosure: I know this because a company I founded in 2003 provides these services to institutional clients, and they in turn offer the service to their clients, customers, members, or employees. Some may offer the service at no cost, while others charge fees ranging from $15-45 for an endorsement to a homeowner's or auto policy, for example.
There are other companies that do this kind of work. The point is that if you're not interested in paying the going rate in the direct-to-consumer world, it is worth finding out if you can get a service like this through an existing business relationship or insurance policy. However, even having access to such services doesn't relieve you of the personal responsibility to stay aware. You should seek out sites that have tools to alert you to changes in your credit score or status. Some are free, some come at a cost.
For an independent source on how to decide which service is right for you, check out the Consumer Federation of America site which is dedicated to educating consumers about the crime, ways they can better protect themselves, and best practices in the identity theft services sector.
Consumer Reports did get it half right -- there are some opportunists in the identity theft protection industry (just as there are in every business sector). However, by missing the other half, and encouraging consumers to face this epidemic alone, they got a major part of the story wrong. As for the allegation of scare tactics: color me guilty. Identity theft is damn scary.
With the world awash with sensitive personal data, it is inevitable that each of us will be a victim at some point -- many of us with drastic consequences for our families, our finances and our lives.
Superstorm Sandy scared millions into taking Mother Nature and climate change more seriously. Let's hope it doesn't take a catastrophe to wake people up to the seriousness of identity theft.