The recent Equifax data breach affecting 145 million records has been a sensational story. Equifax is one of the three credit agencies (Equifax, Experian and Trans Union) that track our most sensitive personal financial information, so the thought of cyber-thieves getting that information is scary. What, if anything, should you do about it?
The first step is to determine whether or not your personal information has been exposed, because Equifax is just the latest victim in a string of data breaches. Even if you have found that your personal information was not in the Equifax hack (see box), it could have been compromised in another data breach. For perspective, visit the excellent infographic at informationisbeautiful.com. To check if your email address has been compromised, go to haveibeenpwned.com/ and enter your email address. My search there revealed that ALL of my email addresses have been compromised. Based on this, it is not unreasonable to assume that some of your data has been compromised.
The next step is to put identity theft in perspective and decide what to do about it. How much money could an identity thief steal from you? How else can identity theft affect you? How much effort do you want to put into protecting yourself from these consequences? There are two types of identity theft: Account Takeover and Identity Takeover.
- Account Takeover – Using your information to make charges and transfers in your legitimate accounts (usually bank, credit card, or brokerage accounts).
- Identity Takeover – Using your personal information to open new credit accounts, file fraudulent tax returns in order to obtain refunds, receive healthcare services, or apply for other financial benefits.
It is relatively easy to protect yourself from account takeover, but it is much more difficult to protect yourself from identity takeover.
Most account takeover liability is limited by law, as long as you report it on time. The table below lists the potential exposure by type of account. As long as you monitor your accounts regularly (monthly for credit cards, daily for debit cards), your exposure is limited (See table 1).
Because these limits exist, it is relatively easy to limit your financial exposure to account takeover. The liability limits to account takeover are time-sensitive, especially for debit cards. The most effective ways to limit your exposure are:
- Monitor your debit accounts daily
- Implement alerts on your debit and credit card accounts to catch suspicious transactions early, such as geographic, transaction, or account balance limits
- Review your credit card statements monthly, as soon as possible after you receive them
- Do not link large savings accounts to your debit card account
Identity takeover is a less common, but more difficult to resolve, problem. Although the consumer’s responsibility for the fraudulent accounts and charges is normally low, the time and money spent repairing identity takeover can be significant. Protecting against identity takeover involves keeping your own information safe, but also monitoring for signs that your identity may have been stolen from a third party.
To prevent others from obtaining your personal information, I recommend the Security Checklist (recently updated) on our website. Even after taking the measures listed on our checklist, you should also monitor your credit information to identify identity takeover and limit the damage it can cause. Table 2 below lists common steps you can take, along with the pros and cons of each.
Identity theft continues to increase at an alarming rate, affecting over 6% of consumers in the U.S. last year. MCS recommends that you take measures to increase your cybersecurity and reduce the risk that your identity will be stolen, as well as monitor your accounts so that you identify fraudulent transactions and limit your liability. Please feel free to call me if you would like to discuss cybersecurity and identity theft prevention.
Jeff Yamada, CFP®
- Texas at Austin Center for Identity; Predicting and Explaining Identity Risk, Exposure and Cost Using the Ecosystem of Identity Attributes; Zaeem et al; 2016 https://identity.utexas.edu/assets/uploads/publications/Zaeem-2106-Predicting-and-Explaining-Identity-Risk-Exposure-and-Cost-Using-the-Ecosystem-of-Identity-Attributes.pdf
- Wallethub; Identity Theft: What It Is, How It Happens & the Best Protection; Papadimitriou, Odysseus; 11/29/2016; https://wallethub.com/edu/identity-theft/17120/
- AgingCare.com; Protect Yourself: Steps to Take After a Data Breach; Kerskie, Carrie; 05/16/2017; https://www.agingcare.com/articles/protect-yourself-steps-to-take-after-a-data-breach-200198.htm
- Center for Identity Management and Information Protection; Identity Crimes, Prevention Methods; except from Biegelman, Martin T.; Identity Theft Handbook: Detection, Prevention, and Security, Chapter 20; John Wiley & Sons, inc.; 2009; http://www.utica.edu/academic/institutes/cimip/idcrimes/prevention.cfm
- US Federal Trade Commission; Stopping Unsolicited Mail, Phone Calls, and Emai: https://www.consumer.ftc.gov/articles/0262-stopping-unsolicited-mail-phone-calls-and-email
- Identity Theft Resource Center; http://www.idtheftcenter.org/Fact-Sheets/fs-131.html
- Javelin Strategy & Research; Identity Fraud Hits Record High with 15.4 Million U.S. Victims in 2016, Up 16 Percent According to New Javelin Strategy & Research Study; 02/01/2017; https://www.javelinstrategy.com/press-release/identity-fraud-hits-record-high-154-million-us-victims-2016-16-percent-according-new
- Budnitz, Mark E.; The Legal Framework of Mobile Payments; 02/10/2016; http://www.pewtrusts.org/~/media/assets/2016/02/legal_framework_of_mobile_payments_white_paper.pdf
- Charles Schwab & Co., Inc.; Security Guarantee; http://www.schwab.com/public/schwab/nn/legal_compliance/schwabsafe/security_guarantee.html