The practice of implementing and renewing fraud alerts by several companies selling identity theft prevention/recovery products may stop.

Fraud alerts can be put in place at one of the three major credit bureaus (which automatically notifies the other two bureaus) when an individual believes that they are a victim of identity theft or have reason to believe that may become a victim of identity theft.  The initial fraud alert lasts 90 days and then must be renewed or it drops off the individual’s credit file.

An entire identity theft prevention industry has come into existence primarily based upon a service which renews a fraud alert for individuals automatically every 90 days.

A court case involving identity theft protection service LifeLock and credit bureau Experian ended in LifeLock being ordered to stop implementing fraud alerts on behalf of third parties (Lifelock’s customers) at Experian.

Debix- another identity theft protection service - announced that they will discontinue the use of fraud alerts due to the opinion issued by the U.S. Federal District Court in the Experian v. LifeLock case.

Regardless of the court’s opinion and the impact on commercial identity services, individuals would be wise to consider a security credit freeze as a more powerful alternative to a fraud alert.  The security credit freeze offers better protection against new credit lines being opened because it blocks the credit bureaus from providing a frozen credit file to potential creditors rather than just the “note” a fraud alert places on a credit file.  While there is a fee each time an individual orders a freeze or thaw on their a credit file, the added security may be worthwhile for many consumers.

For example, if an identity thief applies for a new credit card in your name the card issuing company will attempt to pull your credit report to see if you qualify.  When a credit freeze is in place, the card company will not be able to access your credit report at all.  Therefore, the card company will not issue a new credit card to the impostor.

If the security credit freeze is not attractive to victims of identity theft, there is also the option of a seven year extended fraud alert.  Identity theft victims must provide an identity theft report in order to qualify for the extended alert.

From the strange but true department, I tripped across this press release today:

National Right to Work Foundation attorneys have successfully negotiated a settlement with the Communication Workers of America (CWA) Local 1103 union for Patricia Pelletier, a worker who was targeted by CWA operatives for a vicious campaign of retaliation after she attempted to remove the union from her workplace.

Connecticut’s lack of a Right to Work law compelled Pelletier, a Hartford-based employee of the Connecticut Student Loan Foundation, to pay union dues as a condition of employment. Dissatisfied with the union’s presence in her workplace, Pelletier exercised her legal right to circulate a decertification petition to eject the union. Her co-workers ultimately voted to remove the unpopular union, but CWA operatives responded by allegedly forging Pelletier’s signature on numerous magazine subscriptions and consumer product solicitations.

In her lawsuit, Pelletier also alleged that union officials planted cocaine in her office in an effort to have her fired.

Pelletier’s home was then flooded with hundreds of unwanted magazines and advertisements. Not only was Pelletier forced to spend several hours each day canceling individual subscriptions, she was also billed for thousands of dollars by unwitting magazine companies, jeopardizing her credit rating. Even after her lawsuit was filed, Pelletier still received excess mail from a variety of journals and magazines, and her name continued to be circulated through advertiser mailing lists across the country.

The 31-count suit brought by Foundation attorneys for Pelletier against CWA Local 1103 and four union officials alleged that CWA operatives committed identity theft, conspired to forge Pelletier’s signature, inflicted undue emotional distress on Pelletier and her family, and violated Connecticut’s Unfair Trade Practice Act by unlawfully retaliating against Pelletier for attempting to remove the union.

Although Foundation attorneys achieved a settlement that satisfies Pelletier, the terms of the settlement are confidential.

“We’re happy to report that after enduring a trying ordeal, Patricia Pelletier is finally getting a satisfactory resolution,” said Stefan Gleason, vice president of the National Right to Work Foundation. “No worker should be subjected to vicious union retaliation for exercising their rights in the workplace.”

For the full release, click –> here.

FTC Chairman Jon Leibowitz told a data security workshop on Monday that the United States and other countries must “move beyond the ‘we agree to disagree’ approach” to securing consumers’ sensitive information in the global marketplace. Such harmony among nations, which have varying privacy rules and regulations, is “not beyond our reach,” Leibowitz said, pointing to the Organization for Economic Cooperation and Development’s 1980 privacy guidelines and a set of security guidelines adopted by the group in 2002. “Without adequate data security there really is no privacy,” he said.

Corporations must protect their back doors from hackers, malware, spyware and other high-tech intrusion mechanisms and protect their front door by properly storing and disposing of consumers’ data, Leibowitz said, noting that the FTC is “not shy about knocking on anyone’s door.” Since 1999, the agency has brought a number of cases alleging that companies failed to protect data, including a settlement this month with a consumer reporting agency that failed to properly screen prospective customers and, as a result, sold at least 318 credit reports to identity thieves.

See the full report at National Journal Online.

Over at The Red Tape Chronicles, my friend Bob Sullivan is drawing attention to the new FTC ads spoofing FreeCreditReport.com.  Here’s a taste of what Bob is reporting:

You’re the federal agency charged with protecting consumers. You have a $250 million annual budget, subpoena power and the ability to refer cases to the Justice Department for prosecution. So what do you do when one of America’s biggest companies continually flouts the law?

You challenge the company to a joke-off.

At least, that’s what the Federal Trade Commission has done. On Tuesday it released two videos that spoof the popular FreeCreditReport.com commercials and their trademark catchy tunes.

The government’s ads never mention FreeCreditReport.com by name, but the target is clear.

“Beware of others, there’s always a catch,” the singer croons in one ad that’s a dead-ringer for the FreeCreditReport spot set in a restaurant. “They claim to be free but strings are attached.”

FreeCreditReport.com is owned by credit bureau Experian, which has been engaged in a decades-long battle with the Federal Trade Commission over alleged misbehavior. Most recently, in 2005, the FTC settled charges with the firm that it intentionally misled customers with its FreeCreditReport.com Web site. The FTC said in its lawsuit that the company was confusing consumers who were looking for their congressionally mandated free annual peek at their credit reports. Experian agreed to refund customers, but admitted no wrongdoing.

Even after the settlement, it kept right on marketing FreeCreditReport.com, where consumers must sign up for a $15-a-month service in order to get their credit reports. The lead singer in the ads has even become a cult figure on the Web, as my colleague Helen Popkin explained recently.

Read the full report at Bob Sullivan’s The Red Tape Chronicles.

As discussed here last week, my hometown of Steamboat Springs, CO suffered a data breach as a result of a laptop stolen during a burglary of the local school district office that has impacted upwards of 1,300 past and current Steamboat Springs School District employees.

Last Friday, I wrote a column titled Stolen Laptop Brings Identity Theft Risk for my local paper, The Steamboat Pilot & Today, offering a number of suggestions for both the school district and the employees that had their Social Security numbers stolen.

Today, the Steamboat Pilot & Today has a report titled District Charging Former Employees For Credit Monitoring on the school district’s response to the breach and the plan to offer credit monitoring.  As most readers know, the standard procedure around the country in a data breach that exposes personal identifying information that can be used to open a credit line is to offer at least one year of free credit monitoring paid for by the custodian of the records that were breached.

As you can guess from the title of today’s report, Steamboat seems to be taking a rather different approach.  Here’s the relevant portion of the Pilot’s report:

The Steamboat Springs School District is offering discounted credit monitoring for about 900 former employees whose Social Security numbers were on a stolen laptop, but some retirees aren’t pleased they have to pay anything to protect their credit.

The district will offer a year’s worth of credit monitoring for $40 to former employees whose Social Security numbers were on the laptop stolen from Finance Director Dale Mellor’s office the night of Feb. 24. That price is a discount from the regular price of $100 individuals would pay on their own for EquiFax monitoring, District Human Resources Director Anne Muhme said.

The district will cover the cost of credit monitoring for 423 current employees, including substitutes and other part-time positions.

The coverage for current employees will cost the district about $17,000, Muhme said. Covering past and present employees would have cost about $52,000.

The report goes on to provide quotes from a number of former employees who are – to say the least – unhappy that the school district is not paying for their credit monitoring.

Those employees have every right to be dismayed.  The school district should provide credit monitoring for all impacted employees regardless of whether they are current or former employees.  It goes without saying that identity thieves don’t differentiate based upon job status.

As the district’s decision appears to be based upon cost, the district should either find a more cost efficient means of protecting all those who had their Social Security numbers stolen or find the funds to  provide monitoring for everyone under the plan being offered to current employees.

A final note.  Towards the end of today’s report is perhaps the most bizarre response I’ve ever witnessed to a data breach.  You have to read it to believe it – so here it is:

Steamboat Springs School Board member John De­­Vincentis, a former Strawberry Park Elementary School principal whose Social Security number also was on the stolen laptop, said he has heard from several frustrated former employees. DeVincentis would like the district to show its concern and appreciation for those former employees without paying the $52,000 it would cost to provide monitoring for everyone.

“I’m looking for an in-between, something that keeps good feelings between the old staff and current staff and the School Board. Fifty-two thousand dollars is not worth it, probably, in my eyes,” he said.

DeVincentis suggested offering a picnic or a free school program for those affected.

“Just something that says you guys are worth at least a picnic or a talk or to do something fun together,” he said.

So let me get this straight.  A member of the school board is suggesting a picnic instead of credit monitoring?

Incredible.

In that case, I would suggest the only meal that would do justice at the picnic would be baloney sandwiches.  That way the former employees can be full of the same substance as school board member DeVincentis.

Getting Credit Scores Online Not Always Free, Safe:

Free credit score offers are popping up all over the Internet.

How does a consumer decide which sites are reputable and which are scams? And are any credit scores actually free, or do they come with strings attached?

There are some ways consumers can get their credit score for free.

But usually they cost – roughly $15 for a score that includes a detailed credit report.

Consumers should be wary of the potential for identity theft if they fall for a fake site.

“In general, people should always be concerned about using any site that’s asking for personal information when they’re not familiar with those sites,” said Rob Douglas, a Steamboat Springs privacy consultant who runs InsideIDTheft.info.

Too, experts stress that while the three-digit score is critical to a financial company deciding whether to loan you money and at what interest rate, it may not be necessary for you to pay to get that score.

See the full report at The Rocky Mountain News.

Credit-Monitoring Services: A False Sense of Security:

With the ink barely dry on headlines about what could be the biggest security breach in history (identity thieves hacked into payment processor Heartland Payment Services, possibly gaining access to the credit-card information of millions of consumers) signing up for a credit-monitoring service may have jumped a few notches on your to-do list.

After all, paying $12 or so a month seems like a small price to pay for the peace of mind that — through regular alerts about activity on your credit reports and other monitoring services — you’ll be protected from identity theft. Right? Think again.

“For most consumers, these services are a waste of money,” says Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, a nonprofit consumer information organization in San Diego. They don’t do anything that consumers can’t do themselves, are laden with loopholes and, in some cases, use questionable marketing methods to get consumers to sign on.

Nevertheless, the credit-monitoring business is booming. Last year, 33 million people, or 22% of the U.S. adult population, used such services, according to Javelin Strategy & Research, a financial-services research firm. And the firm expects the market to grow at double-digit rates over the next several years.

Consumers, however, need to understand what it is they’re actually buying.

See the full story at SmartMoney.

Mortgage Broker Broke Data Security Laws:

The Federal Trade Commission has charged a mortgage broker with discarding consumers’ tax returns, credit reports, and other sensitive personal and financial information in an unsecured dumpster, in violation of federal law.

According to the FTC, in December 2006, approximately 40 boxes containing consumer records were found in a publicly-accessible dumpster. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and at least 230 credit reports. The FTC alleges that the defendant, who has owned numerous companies that handle sensitive consumer information, kept the documents in an insecure manner in his garage before improperly disposing of them.

As charged in the FTC’s complaint, the defendant has failed to implement and monitor policies and procedures requiring secure disposal of credit reports; ensure that employees or third parties assigned to transport such documents for disposal are qualified to do so and have received appropriate guidance or training; alert employees or third parties to such documents’ sensitive nature or instruct them to take precautions; and oversee the transport of such documents for disposal, or otherwise confirm that the documents are disposed of in a way that ensures that they cannot practicably be read or reconstructed.

The complaint also alleges that the defendant provided customers of two mortgage brokerage companies that he owned – First Interstate Mortgage Corporation (FIM) and Nevada One Corporation (Nevada One) – with a written statement claiming that the companies maintained “physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.” The statement also claimed that the companies contractually required third-party service providers to safeguard consumer information and use it only to provide services for FIM and Nevada One. According to the FTC, however, the defendant failed to implement reasonable data security measures in key areas at the companies, including the physical and electronic security of sensitive consumer information; the proper collection, handling, and disposal of such information; and employee training. The defendant also failed to provide reasonable oversight of the handling of the information by service providers, including by contractually requiring them to maintain appropriate safeguards for the information.

Gregory Navone of Las Vegas is charged with violating the Fair Credit Reporting Act and the rule regarding Disposal of Consumer Report Information and Records (Disposal Rule) by failing to take reasonable measures to protect consumer information derived from consumer reports against unauthorized access in connection with its disposal. He is also charged with violating the FTC Act by falsely representing that FIM and Nevada One implemented reasonable and appropriate measures to protect sensitive consumer information from unauthorized access, and that the companies contractually required service providers to safeguard customers’ information and use it only to provide services for FIM and Nevada One.

Source:  The Federal Trade Commission

Mitigating Identity Theft:

Identity theft is the new crime of the information age.

A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies and other financial institutions. Then he racks up debt in the person’s name, collects the cash and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions–credit card companies in particular–the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.

Unfortunately, the solutions being proposed in Congress won’t help.

To see why, we need to start with the basics. The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. Someone’s identity is the one thing about a person that cannot be stolen.

For the full article see:  cnet news.

If Your Data’s Been Stolen Don’t Panic:

So-called breach letters — news that your personal data has been compromised — are a dime a dozen now. Should they go straight into the circular file? Every adult should expect to get a letter if they haven’t already. I’ve received three. Indications are that the situation is getting worse, but we don’t know whether that’s because there are more reports or because there are more breaches.

Don’t ignore a breach letter if you receive one. Read it carefully. If the breach involves an existing account, I recommend that people simply monitor their monthly statements. It’s more serious if your Social Security number has been compromised.

How so?  Your Social Security number is the key piece of data that identity thieves need to open new accounts in your name. That’s more difficult to recover from, and it takes more time. We still tell people not to panic — there’s not a lot of evidence that connects the dots between data breaches and ID theft. There’s little likelihood that you’ll become a victim because of a security breach. Even so, you should take steps to protect yourself.

For the full report see The Washington Post.