After identifying and analyzing the identity theft loss exposure (see Part 1), the next step is to select the appropriate risk management techniques. Arguably, the most important technique is risk control. The goal of risk control is to reduce the possibility that a loss will occur and/or reduce the severity of the loss if one does occur.
Choosing effective risk control techniques is the best mechanism to reduce the likelihood of an identity theft and the severity of the theft. Risk control techniques are classified into two major categories—loss prevention and loss reduction.
The goal of loss prevention is to reduce or eliminate the possibility of loss. In regard to identity theft, the goal is to avoid becoming a victim. There are various techniques a person can take in the home, online, outside the home, at work, and when traveling to reduce the chances of being victimized.
In the Home
The first step to prevent identity theft from striking at home is to securely safeguard personal information. For example, an alleged representative of a bank may call a customer asking for certain information for "account verification purposes." If a person, however, receives an unsolicited phone call from someone asking for financial information, this call is probably fraudulent since the bank already possesses this data. According to Security Analyst Robert Hammond, "the only purpose of such a call is to steal that information." Personal information should never be given out by mail, phone, or in person unless the individual has initiated the contact and knows the entity being addressed.
Passwords for credit cards, and bank accounts should be memorized and not shared with anyone. Persons should avoid using their mother's maiden name, date of birth, or the first three or last four digits of their Social Security Number (SSN). In addition, the SSN should be shared only when absolutely necessary. The Social Security card should not be kept in a wallet or purse except in unique circumstances, such as the first day on a new job. Instead, it should be stored in an extremely safe place, such as a safety deposit box. The SSN should also not be utilized as an account number of any type, according to the Social Security Administration, and should never be printed on personal checks.
Individuals should be cautious when storing personal information in the home, especially if he or she has a roommate, employs outside help, or has frequent guests or visitors. According to one legal expert, "The three items identity thieves most covet—your Social Security card, birth certificate, and passport" should be kept in a safety deposit box.
Investing in a high quality shredder is a wise move to prevent identity theft. Dumpster divers are particularly interested in preapproved credit card applications, old credit card statements, and other financial documents. Many persons are unaware of the dangers of simply throwing away the credit card applications because a thief can retrieve the application, mail it in with the address changed to the thief's own address, receive the new cards in the victim's name, and immediately run up charges. The main point is that a person should shred all financially-related documents once they are no longer needed.
A person may opt out of receiving preapproved offers of credit cards or insurance by calling 1-888-5-OPTOUT (1-888-567-8688) or accessing www.optoutprescreen.com. The Direct Marketing Association operates this service, which excludes a person's name from preapproved credit card offers for at least 5 years. In addition, people can instruct the three major credit bureaus in writing not to share their personal information. By writing directly to the three major credit bureaus listed in Exhibit A, consumers can ensure that their names will no longer appear on direct marketing lists.
Outgoing mail with important information should never be placed in personal mailboxes. Instead, it should be mailed at the post office or a secure postal box. When ordering new checks, an individual should pick them up at the bank. If a person has a post office box, this address should be listed on personal checks, so that thieves will not know the person's residential address.
It's also a good idea to order credit reports on an annual basis from all three major credit bureaus. A new federal law now requires each of these credit bureaus to provide one free annual credit report to each consumer. The free credit reports are available by accessing www.annualcreditreport.com or calling 1-877-322-8228. This service allows consumers to check for unusual activity and take quick action, which could impede an identity theft in its early stages. This allows consumers to close out all unused accounts so that there is as little information about them as possible.
There are several miscellaneous steps a person can take if a checkbook, wallet, or purse is stolen. Show only your initials rather than your first name on checks. With this method, if your checkbook is stolen, the thief will not know how the checks are signed, but the bank will. When writing checks to credit cards companies, place only the last four digits of the credit card number on the check. The credit card company knows the rest of the number. In addition, persons should photocopy both sides of each license, credit card, and other important information and keep in a safe but accessible place. These copies allow the victim to contact the appropriate parties as quickly as possible if a theft occurs.
There are numerous techniques a person can implement to reduce his or her exposure to online identity theft. First, information on a personal computer (PC) should be secured through the use of the following.
Anti-virus software which scans the PC for viruses intended to harm the system. This specialized software removes the virus before any damage occurs.
Firewalls head off destructive programs before they strike. Norton and McAfee offer firewall software at affordable prices.
File encryption software that secretly codes and secures the files on a PC.
Never open up unsolicited email or spam. There are several anti-spam programs that effectively filter out spam before it lands in you inbox.
Secure websites have an address that begins with https://, with the "s" indicating that the site is secure. The "s" only appears in that section of the website in which customers enter their financial or personal information. Another way to determine the security of a website is to look for a closed padlock displayed at the bottom right side of the page. If that lock is open, the website is probably not secure. According to one computer specialist, a person should double click on the closed padlock to check the "certificate" for the site. The Secure Certificate Authority ensures the identity of a remote computer via this certificate process, which should specify to whom the certificate is issued. This party should be the same as the one shown on the website being visited.
Outside the Home
There are many steps a person can take while outside the home to reduce the exposure to identity theft. First, an individual should reduce the amount of personal information in his wallet. For example, a consumer should pare credit cards down to one or two and cancel the remaining cards. In addition, a person's Social Security card should nearly always be stored in a safety deposit box.
Second, an individual should be wary of his surroundings when approaching an ATM or public telephone or when using a cell phone in a public location. All efforts should be made to prevent shoulder surfing. In public areas, criminals can more easily abscond with these important numbers by watching the unsuspecting person's fingers or by utilizing a video camera with a zoom lens. A shoulder surfer can also listen near a public or cell phone while the victim is giving out a credit card number to reserve a hotel room or rent a car. A quiet, private location is best to minimize eavesdropping.
Third, an individual should avoid giving out his SSN to merchants when shopping. If an identifier is absolutely necessary, simply reciting the last four digits of the SSN often suffices. Some businesses request the SSN for general record keeping. In this event, the consumer should ask the merchant to use another identifying number.
While at the job site, ascertain who has access to the employee records and verify that this information is securely maintained. The employee should also ask his employer not to use the SSN as a personal identifier.
When engaged in business or pleasure travel, have your mail held at the post office or ask a trusted neighbor or friend to retrieve it each day. Stop all newspaper delivery as well. While on the road, avoid passing on personal financial information to another party unless the setting is private. In addition, while traveling abroad, passports, driver's licenses, and other key data should be stored in the hotel's safe, if possible. A traveler should keep only a copy of his passport on his person.
Rigorous loss prevention efforts reduce the chance of a loss, yet identity theft still occurs. There are multiple steps a person can take to mitigate the effects of the identity theft after it occurs. These include the following.
Contact the "Big Three" credit bureaus
Notify law enforcement
Contact all creditors
Notify the bank regarding check theft
Complete the ID Theft Affidavit
Contact the Federal Trade Commission (FTC)
Notify the Social Security Administration office
Obtain legal advice if necessary
Organize the repair process
Contact the "Big Three" Credit Bureaus
Identity theft victims should immediately call the three major credit bureaus, as shown in Exhibit B.
Table 2. EXHIBIT B CREDIT BUREAU CONTACT INFORMATION
Request that a fraud alert be placed on the account. A fraud alert is a notice placed prominently on a credit report that informs creditors and potential creditors that this person is a victim or a possible victim of identity theft due to the compromising of personal data. With this alert on the credit report, creditors or potential creditors must first call the person for proper verification. This fraud alert should remain in place indefinitely or until the victim asks that it be removed.
The victim's statement should also be included in the report. This statement may read something like "I am the victim of identity theft. Someone has used my identification to fraudulently apply for credit. If an application for credit in my name is received by your organization, please contact me directly at ###-###-#### prior to extending credit." The credit bureau must also provide free copies of credit reports for victims every few months to allow the person to monitor all changes.
The credit bureaus should also remove all inquiries generated due to the fraudulent access. In addition, the victim should ask the credit bureaus to notify those who have received the disputed credit report and alert them about the problem.
Notify Law Enforcement
According to the FTC, identity theft victims should file a report with the police in the locale in which the theft occurred. They should ask for a copy of this police report, which can help with creditors who need proof of the crime. If the local police are reluctant to take the report, they should ask to file a "miscellaneous incidents" report, or try another jurisdiction, like the state police. Unfortunately, the police are not always keenly interested in assisting in this crime. Victims can also contact the particular state Attorney General to discover whether police are required to file reports in incidences of identity theft.
Contact All Creditors
Identity theft victims should also contact creditors, credit card companies, banks, and other lenders, and close any accounts tampered with or opened fraudulently. The injured party should ask for the security or fraud department of each creditor when calling. In addition, the theft or compromising of data should be reported to these companies in writing.
Notify the Bank Regarding Check Theft
If checks are stolen, the account should be immediately closed. Be sure to ask the bank to notify the appropriate check verification service, such as TeleCheck or Certegy, Inc. While no federal laws limit check theft losses, state laws may protect the victim. Most states hold banks responsible for losses stemming from forged checks, but banks can require their customers to notify them of the theft in a timely manner.
Complete the ID Theft Affidavit
In 2002 the FTC unveiled a new tool to assist identity theft victims in restoring their good names. The ID Theft Affidavit allows victims to report the theft to many companies at once, particularly where new accounts are opened in the victim's name. Previously, victims typically had to fill out a separate reporting form for each fraudulent account opened by the identity thief. This affidavit is available on the FTC's website.
Contact the FTC
The Social Security Administration also recommends that identity theft victims, particularly where theft of an SSN is involved, immediately contact the FTC. The FTC serves as the federal clearinghouse for identity theft complaints. While this governmental body does not resolve individual consumer credit problems, it utilizes an online complaint process that helps the government investigate fraud and can lead to effective law enforcement action. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into a secure, online database available to hundreds of civil and criminal law enforcement agencies worldwide.
Notify the Social Security Administration Office
Identity theft victims should also contact the Social Security Administration (SSA) office if their SSNs are being illegally used by thieves for work purposes. One mechanism to determine this is to check the social security statement. In unsolvable cases, SSA can assign the victim a new number, but it cannot guarantee that this measure will permanently fix the problem. It cannot issue a new SSN if a person has filed bankruptcy; tries to avoid the law or legal responsibility; or has had their card lost or stolen, but where there is no evidence that a criminal is using the number on the missing card.
Obtain Legal Advice If Necessary
Even after doing all of the above, it may be necessary to contact an attorney to help restore your good name. Contact the American Bar Association (ABA) for assistance in finding an attorney who specializes in identity theft issues or consumer law. More information is available for locating attorneys at www.abanet.org/legalservices/findlegalhelp/home.cfm. Many cities also have local ABA offices to call to get attorney leads. Another good online reference for locating attorneys is Martindale-Hubbell at http://www.martindale.com.
Organize the Repair Process
One of the keys to regaining a stolen identity is to be extremely organized during the whole process. Without total dedication to organization, a victim becomes easily overwhelmed when dealing with the countless parties that need to be contacted. Being disorganized can also slow down the process of fixing the problem. Mari Frank, an attorney who experienced identity theft herself, provides several reasons why great organization facilitates the restoration process, including the following.
Professionalism—being organized results in greater respect from creditors, credit bureaus, attorneys, and law enforcement agencies.
Peace of mind—a sense of empowerment is experienced when the victim can access the information when necessary.
Effectively answer questions—when all the documents are efficiently organized, the victim is able to speed up the repair process when answering inquiries.
Prove violations—a documented paper trail assists legal counsel who may need such documentation to analyze the case. It can also save legal fees because the attorney will not have to perform many of these functions.
Ms. Frank also recommends that identity theft victims follow nine specific steps in this organization process, as abbreviated in Exhibit C.
Table 3. EXHIBIT C ORGANIZATION STEPS
Obtain proper supplies and equipment
Examples include file folders, filing cabinet, color labels, legal pads, word processor, and printer.
Be prepared at the start
A legal pad, pen, and master log should be ready for the first phone call.
Log all phone calls
The name of the person, title, direct phone number, email address, mailing address, date, and time of call should be properly documented.
Record details of conversation
Information should include an overview of what each party said, tasks each must perform, and information or documentation that is needed by either party.
Establish a filing system
This step involves setting up a file folder for each merchant, bank, or agency involved in the process. In addition, a filing system on the computer for items that can be stored electronically should be established. A master list of all the names and contact information for the people at the various entities is important to maintain.
Establish an expense file
This file should include costs incurred, time spent for each step of the process, payments to anyone hired to assist, travel and mileage expenses, and lost wages or time off from work.
The victim should not panic or let the situation become overwhelming. Establishing a time of day to check the log and calendar helps to reduce stress.
While engaged in this process, the victim should incorporate any improvements or innovations into the plan.
Real effort and perseverance finally results in the recovery of the victim's identity.
Source: Frank, Mari J. From Victim to Victor. Laguna Niguel, California: Porpoise Press, 1998.
Part 1 of this article appeared in July, and Part 3 will be published in September.
Arata, Michael. Preventing Identity Theft for Dummies. Hoboken, New Jersey: Wiley Publishing, 2004, p. 107.
Better Business Bureau. Identity Theft. 2004. Available from URL: www.macon.bbb.org [June 18, 2005].
Federal Trade Commission. "ID Theft: When Bad Things Happen to Your Good Name." 2005. Available from URL: https://www.ftc.gov/news-events [July 2005].
Social Security Administration. "Identity Theft and Your Social Security Number." Feb. 2004. Available from URL: www.ssa.gov/pubs/10064.html [June 21, 2005].
United States Department of Justice. "What are Identity Theft and Identity Fraud?" 2000. [April 20, 2005.]
Weisman, Steve. 50 Ways to Protect Your Identity and Your Credit. Upper Saddle River, New Jersey: Prentice Hall, 2005.
Yip, Pamela. "Credit Bureaus Cope with Demand." Dallas Morning News, June 2, 2005: 2D.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI.
Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion.
If such advice is needed, consult with your attorney, accountant, or other qualified adviser.