Saturday, April 28, 2007

The stolen laptop saga strikes yet again

Retailer Neiman Marcus had a pension company report a theft of a laptop with the records of 160,000 employees current and past.

These “data breaches” are almost starting to sound too common. Almost a yawner compared to TJ Maxx and the 45.7 million tidbits divulged. Neiman Marcus disclosed this breach because some of those employees are in states that have laws requiring disclosure when information is lost or stolen. Stolen laptops and data breaches are not new, but due to disclosure laws, we are hearing about it more often than ever before.

The thief who took the laptop did so because of opportunity. He was a petty thug who saw an opportunity. That opportunity kindly was provided by a person who set it down somewhere in public and walked away for a minute, most likely to get extra napkins for the latte that spilled a few drops on a table in a cafĂ©. I’m making this up, but the real scenario was surely that simple. Most thieves are lazy and go for the low hanging fruit, the easy targets. The thief was not thinking about what information it could possibly have on the hard drive either.

Now the thief takes this laptop and turns it into cash quickly. After all he’s done his work for the day, now time to get paid. That laptop will end up changing hands a few times and it will be the random luck of the draw of who’s hands it passes through and who looks at the data stored on it. It will most likely end up in a pawnshop and eventually on an internet auction site.

This laptop theft like all others that have come to light recently will cost Neiman Marcus much more than they would have spent on the control of that information. They paid for credit monitoring for 160,000 people, and that was a nice tidy sum they did not have in this years budget.

It would have been cheaper and easier to have spent more money up front to control their corporate information, through data-protection policies and training that applies to anyplace that information is stored, including a laptop with a third party. They will now be spending money on that.

If that was an individual's laptop, not a corporate one, the same reaction would happen. A flurry of activity would occur to fortify and monitor to be sure there are no attacks. Not only was the loss of the device costly, you now have, monitoring, worrying, time, and effort etc, added to that unecessary event.

You normally don't leave a purse or wallet unsecured in public, even briefly, because there is a good chance it will be stolen. The same is true with a laptop.

These thieves are not smart, but we have to be, and take some extra steps to not become a piece of low hanging fruit.

Sunday, April 22, 2007

You can make a difference by refusing to hand over your information

Recently a friend of mine wanted to volunteer to be an assistant Little League coach. There is an extensive application that everyone is required to fill out and turn in to a designated league volunteer. That volunteer then takes the application and runs it through a paid service to do a background check to be sure you are not a predator with a history of past offenses. This is all good as we all want the children to be safe from those individuals. But it is imposing a great risk to all volunteers.

My friend asked me if he should provide all the information requested, drivers’ license, date of birth, social security number, etc. I advised him against it. Why? Because he would be handing the keys to his identity over to a complete stranger, a volunteer, a person he had never met! He was sure this person was using the information correctly and as required, but what else should he be concerned with? The answer is a lot!

Let’s assume this person is an upstanding volunteer and only uses this information for its intended purpose. But what does he do with all of those applications emailed or mailed to him. He called to find out, and it turns out he has to keep them until the end of the season, and then he shreds them and delete them. Great, but how secure are they until then. My friend was never sure. The volunteer probably did not leave them on the kitchen counter, but didn’t lock them up either, and he was sure his email was probably not password protected. And that’s where the system falls apart. Everybody in the league knows he collects hundreds of applications with all this information. This is literally a goldmine to anybody with deceitful intentions. A plumber, a painter, the housekeeper, a babysitter, a relative, a teenager’s friend etc. Starting to see the picture?

Why do they need all this information? Simple, the more information they have on you, the narrower they can have the search results returned and the less duplication of names.

Well guess what started happening? People were refusing to provide information and therefore volunteer. On April 13, 2007 the Little League International issued a statement that they would no longer be requiring volunteer applications to include a social security number. It does not address the entire issue especially with the information volunteers possess, but it definitely is a step in the right direction.

The next time someone asks for more information than you think they should have, take a stand and refuse, you may not receive the service you wanted but ask yourself if it is worth loosing your identity over.

Saturday, April 14, 2007

National identity theft awareness week

While identity theft is a year round event, this coming week, could just qualify for National Identity Theft Awareness Week. The week could get this designation because it is becoming one of the more prevalent ones for identity theft due strictly to the time of year. No, there is no such week, but if there were any good time to raise awareness, this week is it.

We wouldn’t be human if we did not have some worry this time of year regarding filing our income taxes.

The forms, the documents, the receipts, the calculator, the room you barricade yourself in, and vow not to emerge until the deed is done. Those are all recurring items that we’ve been through before and will go through again, but we still feel anxiety regardless.

While getting your taxes done is paramount for this time of year, you need to be on alert for more than just an audit. The thieves and con artists go into overdrive this time of year. They feed on your sense of commitment and urgency to get that return done and in on time.

So what should you be concerned about? Here are my top 10 awareness items to think about this week for protecting yourself from an identity thief:

1) Shred all those printed copies that you found mistakes on, and had to reprint.

2) Keep your hard copy of your tax returns locked up.

3) If you use a tax preparer or a CPA, be sure they are securing your information, after you leave the office. Look around to see and verify that they use a shredder. Ask them how they secure your information when they are done for the night.

4) Give some consideration to where you are copying a tax return. It has recently come to light that copiers retain digital information of every copy they make, and some are not being properly erased.

5) If you used software at home on your own PC, save your tax returns to a disc and delete it from your hard drive. Keep in mind if you loose a laptop do you want your tax return available to anyone who acquires it?

6) Ignore and delete emails from the IRS. They don’t have your email address, do you remember providing it to them?

7) Only eFile through the links on the IRS website . Recently thieves have been setting up fake eFile sites and collecting your information.

8) Don’t provide any information to any who calls claiming to be from the IRS.

9) Don’t leave your return in your mailbox. Take it to the post office directly.

10) Use a reputable tax preparer. Remember that you are handing them the keys to your identity, if you don’t know them, they may just drive off with it, or sell the information to a third party.

Tuesday, April 10, 2007

The IRS does not use email?

Around this time every year millions of emails arrive proclaiming the IRS needs you to verify your information, needs more information, has money to give back to you, and the list goes on and on. To conform, all you need to do is cough up some very valuable information.

They all invoke some type of high emotion, either fear or excitement. Both can cloud clear judgment, and reasoning. And it works, all too well.

Lets look at this from a logical and simple point of view. What is the main goal of the IRS? To collect tax revenue. What else do they do? Audit you to try and collect more tax revenue. Have you ever heard of them doing anything else?

Those two functions just about wrap it up.

So if we look at what they don’t do here is my simple list of 5 rules, and read rule #1 at least 50 times:

Rule 1)The IRS doesn’t ask for an email address on your 1040
Rule 2)The IRS doesn’t ask for missing information via email (See rule #1)
Rule 3)The IRS doesn’t ask for more information via email (See rule #1)
Rule 4)The IRS certainly doesn’t offer additional refund money via email (See rule #1)
Rule 5)The IRS absolutely doesn’t locate bonus or extra money just for you

Now go back and read rule #1 above again. If you can remember that, you can be assured that any message you get proclaiming anything from the IRS is a fake and a phishing scam.

So when you see the words IRS in an email for any reason instantly think of my IRS #1 rule and then hit the DELETE key.

Tuesday, April 3, 2007

The costly disparity of debit and credit cards

I can't help but wonder how many of the 45.7 million cards stolen from TJX were split between debit and credit cards. The number was lumped together as a whole as if they were all the same. To TJX there was no difference, they said sorry for the inconvenience, and moved on. Not so fast, because to the victims there was potentially a huge difference.

All this starts with the cards looking identical to consumers. This leads many to the conclusion that because they look alike they are alike. The biggest difference to them is one gets billed and the other comes from their checking account. What else could there be?

Under the Fair Credit Reporting act you cannot be held responsible for unauthorized charges to your credit card. The burden you face is to prove you did not make the charges, file a police report etc. Your liability is generally limited to $50 per card.

The people who had their debit cards compromised fall into a whole different category of liability. Within the first 2 days you liability is capped at $50. Up to 60 days it is capped at $500, after the 60 day window you are wide open for unlimited liability or the balance of your account. Those clocks start ticking the day you notify your bank of the theft, or the date of your first paper or online statement where the unauthorized charges appear. You become "notified" even if you don't open up the envelope or bother looking!

Remember , the "Zero Liability" card you have is not a mandate to the bank from the government, only a courtesy from your bank. Even then, it is at their discretion who is truly liable.

I'm sure many do not bother to review their charges or statements because they feel "protected" and have "zero liability". I would like to hear from some victims of the TJX fiasco to see how well they made out with these policies. I'm sure many looked at those statements for the first time in a long time when they heard about the breach and were quite surprised.

The easiest solution, review your statements regularly. They are your best defense to a costly theft!