It’s all over the news: celebrity photo hacking scandals, digital security breaches at major retailers, and banks that have misplaced unencrypted backups of confidential customer data.
More than 13 million consumers suffered from identity fraud in 2013, according to a study by financial services research firm Javelin Strategy & Research. This is second only to 2012, when the Bureau of Justice Statistics estimates that 16.6 million people suffered $24.7 billion in financial losses due to identity fraud. Javelin identifies the root of the fraud to be both data breaches of businesses and a lack of adequate password protection on the part of consumers.
You would expect any activity that affects 7% of all Americans over 16 years old to spawn an industry to address it, and identity theft and fraud protection is no exception. Players range from independent companies offering standalone services, to credit bureaus offering credit monitoring services, to credit card issuers pitching added protection for a fee.
You would also be correct if you expected the marketing of such fraud protection to be subject to deceptive practices.
The legal dictionary defines fraud as “the intentional use of deceit, a trick, or some dishonest means to deprive another of their money.” However, the more polite term used when it comes to financial settlements with banks and others selling identity theft protection is deceptive marketing.
That somewhat more tepid term allows public relations flaks to spin deceptive marketing as the actions of overzealous ad men –mere misunderstandings in their attempt to sell legitimate protective services to consumers — rather than crimes.
In 2012 several states along with the federal Consumer Financial Protection Bureau found a host of top-tier credit card issuers — including Bank of America, JP Morgan Chase, HSBC, and Capital One — guilty of deceptive marketing practices. Fines and penalties were levied in excess of $1 billion.
Banks and credit card companies share the harsh spotlight of deceptive practices with identity theft and protection pioneer LifeLock.
LifeLock has been the subject of Federal Trade Commission actions, class action lawsuits, and most recently a lawsuit by its former chief information security officer, Michael Peters. Peters is seeking whistle blower protection, claiming the company deliberately limited consumer alerts to make themselves look better and improve their bottom line.
The Root of the Problem
Are there more instances of deceptive marketing and outright fraud than those that have been reported? I suspect so, since the identity theft protection industry is largely unregulated by federal and state laws, which means unsavory practices only come to light as the result of consumer complaints or the occasional whistle blower.
The lack of regulatory oversight enables many companies to carefully craft marketing language and service agreements to appear to offer far more than they actually do.
Steering clear of regulatory oversight is not as difficult as most people imagine. While banks and credit card issuers are the subject of tight federal regulations for their financial services, ancillary services such as identity theft protection and prevention, which are marketed as add-on products, are not as closely monitored. Some are even sold by affiliated companies (subsidiaries) that are wholly unregulated at both the federal and state levels.
It’s Not Insurance
Insurance can only be sold by licensed insurance agents representing licensed insurance companies, and insurance is tightly regulated individually by all 50 states and the District of Columbia.
Some identity theft companies skillfully blur the line between insurance company and what they actually are. A good example is found on LifeLock’s FAQ page, which asks the question, “What is covered under the LifeLock identity theft insurance policy?” The policy is not issued by LifeLock — rather, it is a master policy underwritten by State National Insurance Company.
A master policy is owned by one entity which then uses it to provide group protection to others. The problem is that the end users of the group protection are not customers of the insurance company, and are therefore not afforded any of the protections of state insurance regulations. In practical terms, that means that consumers may have their claims paid with insurance proceeds, but they are not actually the insured.
What’s the difference? While insurance policies and service agreements are both contracts, the difference is in the rules that govern what is in the contract.
Insurance contracts must contain certain provisions and are required by law to be written in language that most people can be expected to understand.
Service agreement contracts have no such rules and can be written as murkily as the entity writing the contract wants. The result for consumers is that they may be subject to all types of exclusions and limitations that are hidden in the fine print.
The Big Questions
Just because a product or service is lightly regulated or entirely unregulated doesn’t mean it’s necessarily bad or not worthwhile.
Unregulated businesses can range in size from your local pet boarding facilities (many locales have no regulations) to financial markets like the New York Stock Exchange, where regulations protect institutions and not individuals.
Engaging with unregulated businesses, whether it’s buying stocks or identity theft protection services, requires that you do your own homework: asking questions and deciding whether the benefits are worth the cost.
What Kind of Protection Do They Offer?
Identity theft protection services usually make some very big promises when it comes to coverage limits. It’s not uncommon for services to offer $1 million or more in protection often for less than $100 per year.
The reality is that the coverage is full of loopholes and things they don’t cover, like actual monetary losses, most of which are already covered by banking and credit laws that limit your liability to $50 per account. Since about 80% of reported identity theft is actually the result of lost or stolen debit and credit cards, the threat advertised by these services seems a bit hyperbolic.
The actual benefits are generally limited to repairing your credit history. However, the Bureau of Justice Statistics reports that most victims of identity theft spend less than one day clearing up problems caused by identity theft. Only about 10% of victims spend a month or more repairing associated problems. Many of those who require a month or more to resolve issues suffered from severe emotional distress as a result of the theft.
What About Fraud?
Actual identity theft — where a thief uses the victim’s personal information to acquire credit and fraudulently run up bills — only happens in about 20% of reported cases of identity theft.
And that figure is not all it appears to be either, because it includes attempts to establish credit. In most cases thieves try and fail to secure credit cards and loans in victims names.
The reason is that credit issuers usually go to great lengths to verify that the person requesting credit is legitimate, and a sudden burst of activity on a credit report will set off red flags for lenders, scaring them off and causing the fraudster to be denied.
Is Credit Monitoring Worth It?
Active monitoring of one or more of your credit reports for activity is almost always offered at an additional cost. When credit monitoring is included as part of an identity theft plan, you will get email or text alerts anytime there is activity on your credit report.
The problem is that credit report activity happens all the time. Credit reports are constantly being updated with payment histories, employer and insurance inquires, and internal credit bureau housekeeping activities.
You can avoid the false alerts and monitor your own credit by requesting your yearly free credit reports from annualcreditreport.com. Federal law entitles you to a free copy of your credit report from each of the three credit bureaus, Experian, Equifax, and TransUnion, once a year.
If you stagger your requests so that you review a different report once every four months, you will be able to provide yourself with the same type of monitoring as a paid service at no cost, without the false alarms.
In the event you lose your wallet or have reason to suspect your personal information has been compromised, you can place a fraud alert on your credit reports and receive a copy of all three every three months.
Is Public Records Monitoring Helpful?
Many services offer, for an extra charge, to patrol the Web — including underground chat rooms and forums where identity thieves sometimes trade and sell information — to check for your personal information.
This sounds comforting, but like nighttime creepy crawlies that lurk in dark basements, identity thieves don’t scatter when the lights come on. Nor do they throw up their hands and say you caught me, here’s your client’s information back.
For a nominal fee, you can place a security freeze on your credit reports which requires that you provide proof of identity and authorization each time your credit report is requested. The fee for a security freeze can be waived if you have been the victim of identity theft.
Simple Steps to Secure Your Identity
The best way to deal with identity theft is to not become a victim in the first place.
- Start with simple things like taking your social security card out of your wallet. In most cases, no one asks to see it anymore, and so long as you have the number committed to memory there is no reason to make it easy for a thief to get.
- Shred and securely dispose of bank and credit card statements.
- Lock up your documents. Birth certificates, tax returns, marriage licenses, and divorce decrees, among others, should be kept under lock and key in a home safe or safe deposit box.
- Keep your mouth shut. Even though you may have been raised to be a sharer, don’t provide your personal information to anyone who does not absolutely need it — and even then, only if you are sure you know who they are.
- Look over your shoulder before you enter your PIN or other personal information in ATM or other public kiosks.
- Password-protect everything! Use very strong passwords to secure all of your digital devices that connect to the outside world. That includes computers, laptops, PDAs, phones and game consoles.
Finally, watching the news for reports of data breaches at retailers or banks that you do business with is your best defense against the indefensible.
No matter how diligent you are in monitoring and protecting your identity there are times when you become vulnerable because of the mistakes of third parties. Being aware of the possibility is the best way to take steps before someone else’s mistake becomes your problem.