As a consumer journalist I'm fed up with writing the same damned story over and over, and as a consumer-news reader you're sick of hearing it:
“Hackers broke into the customer database of yet another retailer, data broker, government agency or educational or financial institution. So beware, Reader: you must protect yourself from identity theft. Contact your credit or debit card company and change your account information as necessary. Update any and all automatic-payment plans connected to the affected accounts. Call your bank. Change your passwords. Keep an extra-sharp eye on your account activity. Take out a credit alert. Get a credit freeze. Call the following toll-free customer-service numbers and spend a couple hours waiting on hold until you're disconnected and have to call back. And don't forget to contact either TransUnion, Equifax or Experian to let them know about the breach! If you're lucky, maybe this time neither Experian nor the other two will screw up and sell your confidential data to an identity thief way the hell over in someplace like Vietnam — okay, you've done all this? Great! Now kick back and relax for a week or two until you have to do it all over again, the next time hackers break into the customer database of yet another retailer, data broker, government agency or ….”
Why is this still a problem? Why in hell's name do financial companies still operate according to the fiction “Hey, here's a form filled out with Jennifer's own Social Security number, date of birth and full name – by Zod, that must be her, because nobody else on the planet could possibly have this super-secret information. Let's lend thousands of dollars in high-interest, unsecured debt based on that! Then, if she calls to complain that this is not her debt and she is not responsible for repayment, she'll have to spend lots of time and effort jumping through hoops to prove her innocence, and of course she won't receive a single penny in compensation for her time, since it's worthless to us and what she thinks about it is irrelevant....”
Who actually does have access to my name, SSN, DOB and other presumably “confidential” data about me? In addition to close family members, and various hackers through the years who broke their way into databases they had no business accessing in the first place, a partial listing of people who can access my private, top-secret, “nobody knows it except me” identifying information includes:
Various employees of every local, state or federal tax department I've ever paid money to.
DMV employees in the states where I've held driver's licenses.
Employees of the two state universities I attended.
Employees of every financial institution through which I've taken out a loan, or held a savings or investment account.
The HR/personnel staff at every job I've ever held.
The HR/personnel staff at every job my now-husband ever held with me listed as his health-insurance dependent or life-insurance beneficiary.
Employees of every insurance company I've dealt with: medical, dental, auto, life and renters' insurance.
The staff of every hospital, medical or dental center where I've sought treatment or had a checkup.
Every pharmacist who's ever filled a prescription (and dealt with the required insurance paperwork) for me.
Every landlord from whom I ever rented a place to live (I haven't bought a house yet, but when I do, add realty agents and mortgage brokers to this list).
Possibly the employees of the K-12 public school districts I attended back in the day; I have no idea how long they keep such records on file.
And maybe the federal workers with access to U.S. military personnel-budget files, since I spent my entire childhood as an active-duty-Navy dependent; again, I have no idea if records from my days as a legal minor would still be around.
I'm sure there's a few I forgot to mention here. And you, of course, have a similar list of all the many, many people whose jobs grant them access to your personal identifying information. That list is separate from, though occasionally overlaps with, the list of people and institutions who have or can get your bank, credit card or other financial account information.
Yet the bulk of our entire financial-services industry (at least the part you need to worry about, where identity theft is concerned) seems committed to the idea that either none of these people exist, or every last one of them is completely, 100% trustworthy and responsible.
What's at stake
The strange thing about identity theft is that, while you're supposed to “protect your identity,” ultimately it's the bank's money at stake here: if someone steals your identity and borrows money (or buys a cell phone) in your name, it will be a very annoying and time-consuming process for you to straighten out the mess, but at least you're not liable for whatever money and property the lender lost.
So how, exactly, did it become your responsibility and mine to protect the assets of lending institutions who we might never even have done a lick of business with, because they're too careless to verify a borrower's identity before lending out their own money?
Back in 2007, I tried finding the answer to that question. At the time, I lived in Connecticut, paid taxes to same and wrote for a (now-defunct) alt-weekly. Meanwhile, some twit at the state Department of Revenue Services decided to put information about 106,000 state taxpayers onto a laptop computer, which then got lost or stolen.
A couple weeks later, I got a letter from the DRS warning that my information was on the laptop. As part of the state's “We're sorry; our bad” make-good efforts, the letter advised me to contact Experian or one of the other credit-monitoring agencies, who would then be legally obligated to put a 90-day “credit alert” on my records.
What does that mean? Over the course of those 90 days until the credit alert expired, if anybody contacted Gigantobank, MegaCellPhone or any similar institution and said “Howdy, I'm Jennifer, here's my SSN and DOB to prove it, now gimme hundreds if not thousands of dollars' worth of unsecured high-interest debt,” Gigantobank, MegaCellPhone et al. were required to make a “good-faith effort” (exact quote from the DRS) to determine this genuinely was me, before saddling my financial record with the legal obligation to pay back this debt.
Determining you're really you, before making you liable for a debt – that's considered a rare and special high-alert privilege, not the default setting. And should you happen to discover the existence of one or more previously unknown credit cards or other loans in your name, it's up to you to prove they're not yours; no “innocent until proven guilty” assumptions apply.
Oh, that's simple
Why can't you just tell the company “I never borrowed this money, and if you think I did then prove it – show me some evidence, my signature, a security-camera image of me filling out the forms in a bank?” Why is the onus on you to prove your innocence, rather than them to prove your liability?
I asked Jay Foley, executive director of the Identity Theft Resource Center, who said, “That's simple -- the fact that your personal information was used to open the account.”
Except it's not really “my” personal information, is it? It's not just me, my mother and some laptop thief in Connecticut who knows all of my “personal information” -- it's everyone on that earlier list plus everyone I forgot to put on it, and hackers from all over the world. So that temporary, special-privilege “credit alert” – the radical idea that a credit-card company shouldn't issue a credit card in my name without first making a “good-faith effort” to ensure it's actually me – why isn't that standard procedure?
In 2007, Jay Foley said it's because proper identity verification would make it impossible for stores to offer instant, on-the-spot credit; instead, people who applied for a card might have to wait several days before they get it. “If it fell to credit card companies to prove the individual opened the account, [I couldn't get same-day credit] if I walked into a Kmart, or a Wal-Mart, or a Sears.”
Heaven forbid anybody wait a day or two before getting a shiny new store credit card; that would leave time enough for second thoughts, and consumers might even decide “You know, in light of my not-too-good financial situation, maybe I shouldn't buy these inflatable floating color-changing LED bathtub lights after all ... or at least wait until I can afford to pay cash, rather than buy on the installment plan.”
And, of course, the problem of ID thieves opening brand-new credit accounts in your name is entirely different from the problem of ID thieves getting your legitimate credit-card or financial information out of some corporate or government database, and using it to fund an intense, short-lived spending spree.
Nowadays, you can barely go more than a week without hearing another hacked-customer-database story. In just the past month, such data-theft hackings were discovered at Home Depot, The UPS Store, Dairy Queen, SuperValu grocery and liquor stores, Community Health Systems (a for-profit hospital network you've never heard of although they operate in 29 states), JP Morgan Chase and other banks … and that list is almost certain to grow longer before the end of the month.
Remember: when thieves steal with credit cards in your name, you're not legally liable for all the money the credit card company lost – but you do have to spend time straightening out the mess, and take extra care to ensure the various data brokers who decide your credit score know about it, because a low credit score means you must pay higher interest on any loans or service plans you take out, and in certain instances you can even be denied a job if your credit rating is deemed “too low” … but if you're unjustly denied a mortgage or even rejected for a job because some lender or data broker screwed up and dragged down your credit score, too bad. You have no legal recourse at all.
As for how much longer banks and other lenders can continue eating the cost of the hackers' frequent spending sprees in lieu of changing their operating procedure to make them less frequent — your guess is as good as mine. Meanwhile, brace yourself for the next time hackers break into a customer database with your information on it, and you must take steps to protect yourself from identity theft, monitor your accounts, call all these numbers and ….