A close friend recently reached out to me to ask some questions about what she needed to do to protect her family’s information. After exchanging a few emails with her on the subject, I adapted the dialogue into the FAQ guidance below.
Question: I’ve been hearing more and more about identity theft and how we need to protect ourselves, but I don’t know which company to sign up with. Other parents in the PTA suggest LifeLock, I’m sure there are others. Do you have any insider tips/info on a reputable company?
Answer: At this point in time, it is not clear that purchasing services from companies purporting to help protect consumers from identity theft will actually decrease the probability of us becoming identity theft victims. Such services may help us find out about identity theft sooner than we otherwise might, which could decrease the magnitude of the identity theft. However, because consumers are not liable for paying debts accrued as a result of identity theft, these services provide little economic benefit to justify their costs.
Meanwhile, these companies become one more entity authorized to store our sensitive information, and they do not necessarily do so in the most secure manner. For example, LifeLock recently entered into a $100 million settlement with the FTC for (1) failing “to establish and maintain a comprehensive information security program to protect users’ sensitive personal information including their social security, credit card and bank account numbers,” (2) falsely advertising that it protects consumers’ sensitive data “with the same high-level safeguards used by financial institutions,” and (3) “falsely advertising that it would send alerts ‘as soon as’ it received any indication that a consumer may be a victim of identity theft.”
Every time we give our information to another entity we put ourselves at an increased risk of identity theft. In fact, data security firms like LifeLock can actually be attractive targets to hackers. In my opinion, some of the more important protections against identity theft are to (1) regularly update the software on our computers; (2) using a variety of passwords and keeping them safe; (3) only share our financial information through accredited secure systems (e.g. Versign); (4) maintain a good relationship with a relationship manager at our banks; and (5) checking our credit scores once a year, which we can do for free. For a more robust list of what you can do to keep your family safe, check out these tips provided by the U.S. Computer Emergency Readiness Team (US-CERT). US-CERT is a part of the Department of Homeland Security and is one of several government agencies tasked with staying on the forefront of cybersecurity issues.
Question: I feel unsafe online. I’m working on my laptop and do not feel protected at all. What do you recommend?
Answer: The good news is that we are unlikely to be hacked simply by using our computers on our home wifi network, unless we click on a link that contains a virus or provide our information to the wrong person. The bad news is the wrong “person” could be a business that we know and trust, but in fact has weak data security systems and practices. Hackers are more likely to target digital locations that have hundreds of thousands of bank account, credit card and/or social security numbers. Some businesses invest heavily in data security, some don’t and it’s not transparent.
In today’s world, there is no way to protect our information from getting into the wrong hands through the internet. Even if we avoided the internet and electronic financial transactions altogether, our information is probably out there already in locations of which we are not aware. The important thing to realize is simply because somebody gains access our information does not mean that person will be able to use our information to harm us. Currently, the strongest identity theft protections afforded by the law relate to verification processes, though regulation of data security practices is starting to catch up.
Question: What do hackers want to do with our information?
Answer: First thing to realize is that not all hackers are the same. Some hackers are thieves, they try to obtain our information so they can steal money, open credit cards or sell our information to other criminals. Some hackers are vigilantes, they use their skills to punish people, companies or governments who they believe deserve punishment. Some hackers are enterprising, they use information to target individuals to engage in business transactions. Sometimes the business transactions can be a form of fraud.
Question: Who is responsible for stopping cyber criminals from harming us?
In general, if hackers are trying to steal money from us by using our account numbers for online purchases, then it is typically our banks responsibility. As explained by the Federal Trade Commission on its Identify Theft website, we have limited liability for fraudulent transactions caused by identity theft. Under most state laws, we are not responsible for any debt incurred on fraudulent new accounts opened in our name without our permission. If someone makes unauthorized purchases using our debit card number, but not our card, we are not responsible – provided that we report the problem within 60 days after we are sent the account statement showing the unauthorized debits.
Because the liability rests often rests with the banks, financial institutions have been investing in robust cybersecurity and identity theft protection systems for years. They are in the best position to protect us from theft and–for the most part–they do a very good job.
For cyber criminals who target us by committing fraud, we are our best protection. We must be very wary about what information we provide online or over email and very cautious when somebody asks for us to provide our information over email–even if we recognize the name and email address making the request. Cyber criminals have been known to find a person’s email addresses and passwords, then signing in to manipulate that person’s contacts for financial gain. This strategy is known as “social engineering.”
Question: What do we need to do if cyber criminals are successful in harming us?
Victims of identity theft should visit the Federal Trade Commission’s Identify Theft website. The site is designed to help us more seamlessly navigate through what would otherwise be a very lengthy and painful process.
Victims of other crimes should contact a cyber attorney.