Archive for March, 2011

By Susan Grant

Earlier this month, the Consumer Federation of America (CFA) released that encourage identity theft service providers to act responsibly and help consumers choose services that follow best practices.

Another resource for consumers is the CFA’s tips, “.” You can find the best practices, the tips and other materials about identity theft on the CFA’s . Some identity theft services can cost hundreds of dollars a year, so it’s important to understand the features of the programs and what they can and can’t do for you.

No identity theft service can absolutely prevent your personal information from being stolen or used—if that’s the pitch, steer clear! But they can help to detect fraud quickly, and many offer advice on what to do if you become a victim. Some even resolve victims’ problems for them. There are also many things that you can do to reduce the risk of identity theft and to resolve problems if they arise.

So if you’re concerned about identity theft, take advantage of the free advice that’s available from government agencies and other sources, and compare what different services offer to decide what meets your needs the best.

For a podcast about the development and objectives of the CFA’s Best Practices for Identity Theft Services, listen

Susan Grant is the Director of Consumer Protection for the Consumer Federation of America.   The Consumer Federation of America (CFA) is an association of non-profit consumer organizations that was established in 1968 to advance the consumer interest through research, advocacy, and education. Today, nearly 300 of these groups participate in the federation and govern it through their representatives on the organization’s Board of Directors.

According to the Ponemon Institute’s U.S. Cost of a Data Breach Study, insider data breaches have decreased in number from 2008 to 2009. The reason for the decrease is “likely resulting from training and awareness programs having a positive affect on employees’ sensitivity and awareness about the protection of personal information” ().

In the same Ponemon study, it was found that data breach incidents cost U.S. companies $204 per compromised customer record in 2009, compared to $202 in 2008. The average total per-incident costs in 2009 were $6.75 million, up $100,000 from 2008. In any industry, trends and issues are constantly evolving, getting more complex and oftentimes, more costly. Professionals armed with the right knowledge are able to better defend their organizations and lead them with the best protection and security.

collaboration with (Risk and Insurance Management Society) provided us the opportunity to offer one of our most popular workshops, titled in January in their New York offices. The popularity of this workshop encouraged an additional training on the same topic scheduled for Monday, April 4 and Tuesday, April 5, 2011.

Designed for risk professionals; IT, data and financial managers; as well as anyone who maintains data and information security for an organization, the workshop will educate attendees on the following:

• Costs and Challenges of Data Breach
• Litigation/Settlement Examples and Discussion of Leading Cases
• State Breach Notification Regulations and Current Security Regulations
• Compliance Plan Development
• Prevention and Mitigation Strategies
• The Importance of Data Risk Information Security
• Responding to a Breach: Damage Assessment and Communications

“The growing sophistication of cyber risk is one of the biggest and most realistic fears for businesses today,” says Richard J. Roberts, Jr., member, RIMS Board of Directors. “Training and education is the best line of defense for risk management professionals.”

To learn more or register for the Cyber Risk workshop, please visit the To receive $50 off registration, please sign up before April 1, 2011 using the promo code: CYBEROFFER.

If you would like to attend this type of Cyber Risk workshop in your city and state, contact RIMS at (212) 286-9292.

By Ondrej Krehel

No single document contains more personal information than your tax return. Name, address, date of birth, Social Security number, employer information, banking accounts, routing numbers, credit card payment data—the list could go on. So it’s imperative that your tax documents are secure.

The days of filling out a paper tax form in black ink, with a calculator on the table, are over. Most of us file online, use a computer tax preparation program such as TurboTax or TaxCut or simply hire an accountant to do it. Whichever way you choose, here are some quick tips to boost your tax security.

When using an online tax service, make sure the address in your Web browser starts with an “https” rather than the standard “http.” The “s” signifies you’re on a secure connection. You should also see a little yellow padlock logo to the right of the web browser address bar.

Also confirm that it’s the actual company URL address in your web browser. Hackers are very smart at making fake URLs look real, like, for instance for The text of the URL itself is often misspelled—a sure sign of a fake website designed to harvest your personal information.

Create “strong” passwords for online tax vendors that have numbers, upper- and lower-case letters and symbols. For example, “3Dogz$$!” is better than “1006.” Don’t use the same password as your email or online banking accounts; make it unique. If the tax site is jeopardized, the hacker won’t have access to all your sites.

And generally, be aware of phishing email scams. The IRS will never send you an email. For more information see the IRS’s official vendor list here.

If your tax software has an online component, as many of them do, the above tips apply. But beyond those, drafting tax forms on your Mac or PC presents a special set of challenges. Your computer is susceptible to malware, viruses or a hacker intrusion, so always make sure it is up to date with the latest program versions and update patches. Most programs have an auto-updater. Run it every time you open the program. And make sure you’ve got the latest anti-malware and anti-virus software installed.

Also, don’t delete the software installation files—save them. You may have to make adjustments to your return or refer back to the program itself. Access to the original program, rather than just its data files, will be a big help in the event of a tax complication or audit or if you find yourself the victim of tax-related identity theft.

Still, you must secure the program and its files. Store all your files and completed tax records on encrypted media, whether an external hard drive or a specific, designated encrypted flash drive. Beyond the tax software files, also save copies of your completed return as PDF files. This will make the information easier to reference if you ever need to go back to it. Also consider printing paper copies and storing them in a secure place such as a safe or your safe-deposit box. Then, in the event of a total computer meltdown, you’ll still have hard records and backup.

If you use an accountant to handle your taxes, the biggest thing you can do is ask questions:

  • How do you store my personal information?
  • Where is it stored?
  • Who has access to it?
  • Is the information encrypted?
  • Do you have a data loss policy in place?
  • Do you have a privacy policy?
  • What are you doing to protect my information?

Don’t be afraid to be a little pushy. A professional accountant will understand the sensitivity and oblige. If they don’t, consider it a sign and move on.

For more information, see the special March 2011 tax-fraud education package .

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Foster children are vulnerable to identity theft because of the transitory nature of their lives, according to a released Wednesday. They move frequently and their personal information is accessible by many people—relatives, foster parents, social workers and group home personnel.

“The Fleecing of Foster Children: How We Confiscate Their Assets and Undermine Their Financial Security” highlights the many ways we’re letting down America’s foster children and recommends to help. It was published by First Star, a national nonprofit that advocates for abused children, and the University of San Diego School of Law’s Children’s Advocacy Institute.

The research brings overdue attention to a growing problem of identity theft among foster youth. At any given time, more than 460,000 children are in foster care nationwide, according to federal figures. Each year 30,000 foster children leave the system when they turn 18 years old. Many of them don’t know their identities have been stolen and their credit destroyed until they have exited care and applied for a credit card.

“Foster children have all the factors to put them at the highest risk of identity theft,” said Identity Theft 911 Chief Executive Officer Matt Cullina, a licensed foster parent who has adopted three of his foster children. “This report is a step in the right direction because it creates awareness of the problem. The second step is to analyze the size and complexity of the problem and the third is to come up with solutions. If this is happening at the numbers we’re thinking, it’s a crisis.”

Identity Theft 911 has been working with parents and children to fight child identity theft for years. Identity theft against victims who are age 19 and younger accounted for 8 percent of all identity-theft complaints made to the Federal Trade Commission in 2010, up from 7 percent the previous year.

Identity theft victims spend an average of 330 hours repairing damage to their credit caused by identity theft, according to the report. Victims average more than $3,300 in lost wages due to the theft and, on average, incur more than $850 in expenses to repair the damage to their credit.

California and Connecticut have passed legislation aimed at protecting foster youth from identity theft by ensuring that a tarnished credit record or undeserved debt is not also part of their state system exit package. But still, it is not enough.

The report recommends that Congress pass the Foster Children Self-Supporting Act, sponsored by Democratic Rep. Pete Stark of California, and the Foster Youth Financial Security Act, proposed by Democratic Rep. James Langevin of Rhode Island.

Langevin’s legislation would help reduce identity theft risks by requiring foster care agencies to annually review the credit reports of children in their care and take steps to redress any identity theft or credit card fraud before the children age out of the system. It would also end the use of a child’s SSN as an identifier and help for older children get a driver’s license, open a bank account and apply for student loans.

In addition, the bill would provide financial literacy classes and seed money to set up Individual Development Accounts (IDAs) for foster youth so they leave care with a nest egg to pay for housing, education, and job training.

Identity Theft 911 works to protect customers and their children against child identity theft with .

“As a service provider we look forward to collaborating with government, nonprofit organizations, caregivers and foster children to address this crime,” Cullina said.

Adam Levin, Identity Theft 911 chairman and founder, and Eduard Goodman, Identity Theft 911 chief privacy officer, spoke with Washington, D.C. radio station WTOP 103.5 FM about identity theft protection and simple ways to lower your risk of becoming a victim.

Click to listen.


Every organization faces the threat of cyber risks. These risks come in many forms, including market risks, financial risks, reputation risks, legal risks and more. It is important for risk managers to be aware of these threats and the potential consequences they face if a breach does occur. This series gives a basic overview of some of the threats and legislation in which organizations should be aware.

Cyber Risk Legislative Trends by Eduard Goodman

Cyber Risk Threats to your Organization by Ondrej Krehel

By Eduard Goodman

Fly-by-night and unscrupulous identity theft service providers are to be expected in an industry with a lot of growth potential and countless victims. But they’ve always bothered me.

That’s why I was more than happy to participate in the working group that drafted the Consumer Federation of America’s Best Practices for Identity Theft Services. Setting basic standards is a win for the industry and a win for the consumer.

The Best Practices asks companies to clearly explain to consumers why their personal information is needed and how it will be used. It also recommends that they have readily available and transparent privacy policies. The section on privacy is reasonable and easy to understand. It does a good job of laying out basic expectations for providers.

Surprisingly, a number of companies have found that agreeing to follow these guidelines is problematic—mainly because of the privacy requirements. These businesses don’t value transparency of their practices for handling consumers’ personal information.

Now, I realize that the CFA document is not meant for nonprofits or government agencies. It’s intended for private companies who make money by helping people protect against, monitor and recover from identity fraud crimes.

This only drives home what a compelling business argument being pro-privacy makes in our industry. Not agreeing to the Best Practices because you can’t follow the privacy obligations is tantamount to a wind power or solar panel company saying it doesn’t believe in recycling. It’s counter to what the industry is all about. If you can’t be bothered to get your privacy house in order, good riddance.

FTC Chairman Jon Leibowitz said it best in his remarks for the Preliminary FTC Staff issued last December: “Some in industry support what we’re doing, but we know that others will claim we’re going too far. To those highly paid professional naysayers, I have only one question: What are you for? Because it can’t be the status quo on privacy.”

Eduard Goodman, Chief Privacy Officer,

An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.

Our March newsletter highlights the threat of tax-related identity theft, and it’s a timely examination since the federal government says it’s now the .

Tax-related identity theft usually takes one of three forms:

• Armed with a name and SSN, a thief submits stolen information with bogus W-2s to collect a tax refund in the victim’s name. The IRS spotted and stopped 23,000 of these incidents in 2009, the last year for which numbers are available.

• An identity thief uses stolen information to get a job, creating a headache—and financial liability—for the victim when the government wants taxes on income the victim never earned. There were 24,000 such cases reported in 2009.

• Through fake IRS and accounting websites, fraudsters con unsuspecting taxpayers—who think they’re filing returns—into submitting personal information. More than 3,000 of these sites were shut down in 2009 alone.

Think you can’t be a victim? Think again. In 2009, tax-related fraud affected more than 43,000 people, and the IRS Identity Protection Specialized Unit, which tracks and responds to identity theft issues, took 87,000 calls.

The IRS—which is, after all, pretty good at math—recognizes the scope of the problem and has taken steps to remedy it, with some positive results. But there are ways to guard your information and reduce your risk of becoming a victim of tax-related identity theft.

The Identity Theft 911 March newsletter includes firsthand accounts from victims, as well as tips to keep you safe when filing online. Read about this and more at the Identity Theft 911 .

The CFA’s Best Practices for Identity Theft Services

When the Consumer Federation of America took a hard look at identity theft service providers two years ago, the picture wasn’t pretty. It reviewed the websites for 16 leading providers and found the language describing their offerings confusing and unclear, at best.

The worst offenders appeared downright misleading, pitching services that weren’t really what they claimed to be. A bait-and-switch? Not exactly, but there was an apparent gap between services advertised and services rendered.

Something needed to be done.

After the release of its March 2009 report, , the CFA formed an identity theft best practices working group, which included industry representatives as well as consumer protection and privacy advocates. Identity Theft 911 served as a group member and drew from its own experience and methodologies to help shape the best practices. This month’s release of the is the result of the group’s efforts—a veritable call-to-arms for the industry and its business clients.

“Claiming that identity theft is preventable is an irresponsible business practice,” said Adam Levin, Identity Theft 911’s chairman and cofounder. “Identity theft risk can be reduced if the appropriate tools are in place for victimization to be detected at an early stage. By establishing industry best practices, companies are aware of the most responsible way to clearly and accurately market and conduct their services.”

The guidelines recommend that identity theft service providers have readily available and transparent privacy policies. They also ask providers to clearly explain to consumers why their personal information is needed and how it will be used.

Identity Theft 911 not only follows these best practices, we actually go beyond what the CFA has outlined.

“By doing this, we hope to give consumers a higher degree of confidence when choosing the right provider at a time when they most need guidance and support,” said Matt Cullina, Identity Theft 911 chief executive officer.

Please read the full press of IDT911′s endorsement of the CFA’s Best Practices for Identity Theft Services.

As lawmakers in Washington and the White House haggle over how to shave billions in spending from the budget for the current fiscal year, we have the opportunity to seize on an obvious reform that could save taxpayers a lot of money: getting deadline serious about reducing fraud and bolstering the identity theft defenses of large government agencies and programs like the IRS and Medicare.

As we now know from the latest Federal Trade Commission on consumer complaints, fraud related to government documents and benefits represents the single largest category of identity theft in the United States: In 2010 it accounted for 19 percent of all identity theft, up from 16 percent in 2009.

Fake credit cards used to be the favored vehicle for ripping off innocent consumers, but that type of crime is receding as banks and other card issuers tighten their security measures. In 2008 credit card fraud accounted for one out of every five reports of identity theft, in 2009 the proportion fell to 17 percent, and in 2010 it dropped to 15 percent.

“This shows that the IRS and programs like Medicare could still benefit from more active fraud and identity theft investigation and victim assistance and fewer budget cuts in these areas,” says Eduard Goodman, chief privacy officer for Identity Theft 911.

The federal government essentially is a “processing machine” when it comes to issuing benefits checks and may have little operational incentive to reform its practices from a fraud perspective, said Victor Searcy, Identity Theft 911’s manager of fraud operations.

At Identity Theft 911, we’ve been tracking the growing problem of tax refund fraud, such as when a thief uses a taxpayer’s ill-gotten personal information to create a phony tax return. In one we highlighted in this month’s newsletter, an Illinois retiree had his federal refund ripped off when a con artist simply mailed in a follow-up tax form filled out with only the minimum of information about the taxpayer.

The retiree eventually got his full refund, but that case, and many others like it, shows just how vulnerable a sprawling government agency like the IRS is. Tax- and wage-related fraud leaped from 12.3 percent of all identity thefts in 2008 to 15.5 percent in 2010, according to the FTC. Meanwhile, the fraudulent use of government benefits is also on the rise, going from 1.3 percent to 1.8 percent during the same period.

“This shows that the IRS and programs like Medicare could still benefit from more active fraud and identity theft investigation and victim assistance,” Goodman said.

To protect yourself against tax-related identity theft, follow featured in our monthly newsletter.