As the CEO of a risk management company, I think critically about data breaches all the time. Every day we are working to make sure our clients have the means to protect themselves, their customers, their employees, and their communities. We help them manage all kinds of risks: competition, goal achievement, vendors, regulation changes, and of course, data theft.
In the recent Equifax data breach, hackers gained access to 143 million consumer names, addresses, Social Security numbers, birth dates, and in some cases, drivers licenses.
When I heard about the Equifax scandal, I realized this breach was unlike any that had happened before and was a point of no return for risk management. My mind couldn’t help thinking about the implications to corporations and what they need to be doing better in terms of security, and how we could help them achieve that. But then, after talking to my friends, my family, my employees, leadership teams, and state officials, I realized that the thing on most people’s minds is: What if I’ve been compromised? What will happen if someone steals my identity? What do I do now?
As an employer, I realize that this breach has an enormous effect on my employees. How can I expect them to focus on their work when they’re worried about their bank accounts, their kids, their futures?
Fortunately, my experience in analyzing and preventing scandals such as data breaches prepared me to come up with a playbook of what my employees, family, and friends can and should be doing to protect themselves in the hopes of alleviating their anxiety. I’d like to share this playbook with all of you:
Now let’s look at this playbook in detail:
One. Take this seriously.
Reactions to these kinds of events are usually split down the middle. People either spring into action, realizing the gravity of the situation, or they play the complacency card. “It won’t happen to me.” “I’m probably not even compromised.” Etc. Etc.
143 million U.S. consumers are affected by the Equifax data breach. Taking into account people who are too young to have reported their information to any credit bureaus, this means that your chances of being affected are about 50/50.
Not only is the scope of this breach huge, but it’s unique in that it connects all the necessary dots for identity criminals. Not only do they know your SSN, they know your credit limit, which means they know exactly how much money they can spend before getting blocked. Accessing, draining, and opening accounts has truly never been easier.
The list of potential consequences goes on and on, however, the point of this article isn’t fear mongering though. It’s to motivate you to take actionable and effective steps towards protection.
Two. Get educated.
There’s so much on the internet now about credit freezes, credit monitoring, and credit alerts following this breach. The first step is to get it all straight.
Here is a helpful article about the difference between credit freezes, monitoring, and alerts and what they cost:
Here’s a quick summary:
Credit monitoring: All big-three credit bureaus offer credit monitoring for a monthly fee. Credit monitoring can help you sport errors in your credit report that could affect your score, or spot signs of identity theft such as hard inquires made without your permission, or new accounts you didn’t open.
Fraud alerts: A fraud alert requires the bureaus to put a special notation in your credit file which notes that you have a suspicion that you have or may become an identity theft victim. A creditor such as a bank is then required to take reasonable measures to verify your identity before approving credit in your name. This is often done by calling the phone number in your file and getting approval for the loan or transaction that they are processing.
Credit freeze: A credit freeze allows you to seal your credit reports to that no new applications for credit can be initiated in your name without your knowledge. When you do a credit freeze with the 3 main credit bureaus, you get a PIN that only you know. This PIN can be used by you to temporarily re-open your credit so that legitimate applications for credit and services can be processed. A freeze does not affect your credit, does not disallow you from using your credit cards, and does not interrupt any business you are doing with current creditors.
Three. Opt for the credit freeze.
Unfortunately, monitoring is where many consumers are being pushed because companies who offer these services stand to make a lot of money off of you, since these services require monthly fees that can cost you upwards of $200 a year.
Monitoring is also a reactive technique to identify theft, not a proactive one. By the time you’re aware of fraudulent activity on your account, it’s already too late, you’ve already lost the money. In addition, many banks have policies that say they will reimburse you up to a certain amount if you report the activity within 60 days. But alerts typically don’t appear on your credit report for 60 days, so by the time you find out, it’s too late to be reimbursed at all.
Fraud alerts aren’t a good option because you must often choose between being annoyed and having enough coverage. Typically, you choose the amount you wish to be alerted about. Opting to be notified every time a suspicious $50 charge is made would be aggravating, while opting to be notified when a suspicious $1000 charge is made wouldn’t be enough coverage.
I believe that freezing your credit is the best course of action. Some people are referring to this as the “nuclear option,” but I wholeheartedly disagree.
How many houses to you buy on average per week? Zero.
How many cars do you lease on average per week? Zero.
How many credit cards do you apply for on average per week? Zero.
There is absolutely no need for your credit to be unfrozen at all times. Yes, you must freeze your account with all three credit bureaus: Equifax, TransUnion, and Experian. And yes, you must unfreeze your account every time a lender needs access to it. And yes, freezing and unfreezing your account does cost money.
However! The pros entirely outweigh these perceived cons. Freezing your account with each bureau can be done online, which will at most cost you 15 minutes per application, as opposed to the 175 hours the average victim of identity theft spends recovering from an attack.
A word to the wise: If you choose to freeze your credit online, do not google and go. There are many fake sites out there waiting for your information. Make sure you have the right site before entering any information. Go to the bureau’s website and search for their freezing application through there.
As for the cost, Experian just announced that they will be waiving the fee for freezing your account with them until November: https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp. Freezing your account with other bureaus differs by state, but typically ranges from $0-$10 per bureau. When you want to lift the freeze, you will have to pay another fee similar in dollar amount. However, this is nothing compared to the $1,400 the average victim pays in out-of-pocket recovery expenses, and is negligible compared to having your accounts completely drained.
Here is a breakdown of what each state charges for credit freezes and lifts regardless of bureau:
There are many security benefits to this option as well. Accessing your credit through a PIN that you can keep in a safe place, such as an encrypted password vault, is a sure-fire way to ensure that only legitimate requests are being made into your credit. For example, you’ll always know when you’re in the market for a loan, which means you’ll always know the appropriate time for your credit to be accessible and who is requesting access. You can even ask potential creditors which bureau they use so that you don’t have to unfreeze all three.
Overall, the credit freeze is an easy, cost-effective way to prevent your credit reports from being used by identity thieves. Locking your credit file is superior to being notified of fraudulent activity AFTER the fact.
Here are links on how to freeze your account with TransUnion and Experian:
Four. Get identify restoration support.
The reason I don’t say “Get identity theft insurance” is because insurance can mean a lot of different things. There are many identity theft insurers out there that will entice you protection that looks great on paper but will overcharge you with bells and whistles you may not need.
So when looking for identity theft insurance, make sure that the service you are receiving is identity restoration support. This means that you will have a team of highly experienced experts ready to restore your identity and get your money back should a breach occur.
The 175 hours of recovery time I referenced earlier is spent in dealing with police, lawyers, banks, insurance companies, and many other things that the average person does not have experience dealing with or the time to deal with. This is, unfortunately, the name of the game: make getting your money back so time consuming and tedious that you walk away with less than you deserve. Restoration experts won’t let this happen because these provide this type of expertise:
Don’t get distracted and bogged down in all the details and bells and whistles of other features. I would say that at least 80% of the value of this type of insurance comes from this restoration service. The other 20% can come from whatever other features appeal to you.
My last word of advice concerns the company you work for. Many corporations believe that technology will be their weakest link in the aftermath of this breach. But it’s not. The identity theft game has changed. Now it’s the people and the processes and procedures within corporations and their third-party suppliers that are their weakest links. Corporations are made up of people who handle very sensitive information, and it’s these people that could be impersonated in an effort to wreak havoc on the company. I will be writing more blogs on the steps corporations can take to protect themselves against the consequences of identity theft that I hope you will share with your company. Here is a helpful resource I’ve written with advice to corporations.