by Doug Pollack

There is a growing amount of legal commentary emerging in the discussion surrounding the Experian vs. LifeLock lawsuit. This week, Peter Bronson from The Union.com published an article titled “Business Law Bulletin: Experian vs. LifeLock Heats Up“.

Relative to the false and misleading advertising issue, Mr. Bronson notes that:

“According to Experian’s lawsuit, at least one Lifelock ad claims that the company’s services make it virtually impossible for identity thieves to strike, but that fraud alerts are only effective against those particular types of fraud that require accessing a credit report. In other words, says Experian, Lifelock cannot protect against such forms of identity theft as an undocumented worker using someone’s Social Security number to obtain a job; or against unauthorized use of a credit card.”

It is interesting to see a credit bureau that advertises their credit monitoring services as a means to help deter identity theft relentlessly (who hasn’t seen the FreeCreditReport.com ads on TV?) make the case for the inherent limitations in this area.

Mr. Bronson goes on to point out the ambiguities with LifeLock’s famous $1 million guarantee:

“Lifelock does offer a $1 million guarantee that if a customer’s identity is compromised, Lifelock will help restore the customer’s credit standing and pay the cost of doing so. However, Lifelock’s web site states that the guarantee comes into effect when a customer’s identity is compromised “due to a failure or defect in our Service”, a phrase that seems open to more than one interpretation. (If the service offers protection against only certain types of identity theft, does the guarantee only cover those specific types?)”

This is the first instance where I’ve seen someone dig into the specifics of this guarantee. The “service defect” provision certainly provides LifeLock with a get-out-of-jail-free card. Not to mention, given that it is the financial institutions who provide most of the financial fraud protection, how valuable really is a $1 million guarantee other than as a marketing gimic. I guess we’ll all find out as this lawsuit unfolds.

by Doug Pollack

Right on the heels of the lawsuit filed by Experian against LifeLock, the self-proclaimed leader in identity theft protection, which asserts that LifeLock uses deceptive advertising and misleading claims in advertising their service, as well as illegal means of setting fraud alerts on behalf of their customers, now a CBS news report by Jim Benemann has put LifeLock to the test, along with two other companies, Debix and TrustedID, that rely on credit bureau fraud alerts or freezes for protecting their customers.

It seems that based on this test, these products do not prevent identity theft as you might be led to believe based on LifeLock’s advertising. So on to the test. The first thing he did was have three of his colleagues, Tom, Jillian, and Kristine, each sign up for one of the three services. Then…

“With their permission, CBS4’s Jim Benemann took all of Tom, Jillian and Kristine’s personal information including their social security numbers and dates of birth. Using that information, Benemann applied for the same major credit card in each of their names. The only little thing he changed was the address. Benemann asked for those credit cards to be mailed to his home address. Essentially, he stole Kristine’s, Tom’s and Jillian’s identities.

The three testers weren’t worried. They all figured they would get that phone call telling them that someone was applying for credit in their name and they would put a stop to it immediately. Tom waited, Jillian waited and Kristine waited close to their phones. They waited 24 hours, then 48 hours and then a week. Not one of them got a phone call from any creditor even though they had paid companies for credit protection.”

It is worth noting, that a fraud alert can easily be placed by an individual for free, just by contacting the credit bureau. Unfortunately services like these make the fraud alert seem like a “silver bullet” for preventing identity theft. As this test proves, nothing could be further from the truth. The reporter goes on to note:

“And remember Kristine who signed up with LifeLock? A little more than a week after Benemann applied for a credit card in her name, that card arrived, mailed to him, at his home address. And that had Kristine all the more interested in finding out about LifeLock’s $1 million guarantee…Here is what LifeLock had to say:

‘The credit card companies have a contract with the credit bureaus that say they must honor fraud alerts. The fact that they chose not to is proof that the fraud alerts are not bulletproof. The good news is that this is where the LifeLock $1 million guarantee is most effective. LifeLock is not a credit monitoring service but a protection service in the event a fraud alert proves to be ineffective.’ “

Having said that, LifeLock didn’t clarify how they then provide “protection” for the victim of ID theft. In the past, LifeLock had outsourced victim recovery services to other companies. It would be instructive to know what they do for their victims today.

by Doug Pollack

Right on the heels of the lawsuit filed by Experian against LifeLock, the self-proclaimed leader in identity theft protection, which asserts that LifeLock uses deceptive advertising and misleading claims in advertising their service, as well as illegal means of setting fraud alerts on behalf of their customers, now a CBS news report by Jim Benemann has put LifeLock to the test, along with two other companies, Debix and TrustedID, that rely on credit bureau fraud alerts or freezes for protecting their customers.

It seems that based on this test, these products do not prevent identity theft as you might be led to believe based on LifeLock’s advertising. So on to the test. The first thing he did was have three of his colleagues, Tom, Jillian, and Kristine, each sign up for one of the three services. Then…

“With their permission, CBS4’s Jim Benemann took all of Tom, Jillian and Kristine’s personal information including their social security numbers and dates of birth. Using that information, Benemann applied for the same major credit card in each of their names. The only little thing he changed was the address. Benemann asked for those credit cards to be mailed to his home address. Essentially, he stole Kristine’s, Tom’s and Jillian’s identities.

The three testers weren’t worried. They all figured they would get that phone call telling them that someone was applying for credit in their name and they would put a stop to it immediately. Tom waited, Jillian waited and Kristine waited close to their phones. They waited 24 hours, then 48 hours and then a week. Not one of them got a phone call from any creditor even though they had paid companies for credit protection.”

It is worth noting, that a fraud alert can easily be placed by an individual for free, just by contacting the credit bureau. Unfortunately services like these make the fraud alert seem like a “silver bullet” for preventing identity theft. As this test proves, nothing could be further from the truth. The reporter goes on to note:

“And remember Kristine who signed up with LifeLock? A little more than a week after Benemann applied for a credit card in her name, that card arrived, mailed to him, at his home address. And that had Kristine all the more interested in finding out about LifeLock’s $1 million guarantee…Here is what LifeLock had to say:

‘The credit card companies have a contract with the credit bureaus that say they must honor fraud alerts. The fact that they chose not to is proof that the fraud alerts are not bulletproof. The good news is that this is where the LifeLock $1 million guarantee is most effective. LifeLock is not a credit monitoring service but a protection service in the event a fraud alert proves to be ineffective.’ “

Having said that, LifeLock didn’t clarify how they then provide “protection” for the victim of ID theft. In the past, LifeLock had outsourced victim recovery services to other companies. It would be instructive to know what they do for their victims today.

by Doug Pollack

A recently published article in E-Commerce Times concerning the costs of corporate data breaches titled The Cost of ID Theft, Part 2: Fixing the System written by Andrew Burger, highlights the staggering economic impact of the increasing number of data breaches by America’s corporations.

The article notes a statistic from the Ponemon Institute that pegs the average cost of a data breach at $197 per record compromised.

“The stakes are already quite high when it comes to data loss: According to Gartner and the Ponemon Institute, the loss of a single record — not financial fraud — is around (US)$197. If you take the extremely conservative estimate from the same research that said that in 2007, 127 million records were lost, you get around $25 billion in direct losses noted Uriel Maimon, senior researcher for security firm RSA.”

Ponemon further explores these costs, finding that around two-thirds of the cost of the data breach is associated with the loss of customers or reduction of corporate reputation.

“The cost of lost business is likely to be larger and more significant than actual cash losses and expenses related to remediation, however. The average customer churn for businesses surveyed that had suffered a breach was 2.67 percent, noted Kevin Bocek, director of product marketing for encryption firm PGP.”

With this in mind, companies should plan as part of their data breach response plans to explicitly focus on elements of their response that will engender customer goodwill. While this may seem difficult to achieve in such circumstances, every opportunity to reach out and touch your customers creates an opportunity to increase retention and brand loyalty.

by Doug Pollack

There has been a great deal of attention recently paid to the actions by credit bureaus enabling consumers to use credit freezes as a tool to avoid or deal with identity theft events.

In a recent New York Times article titled “In ID Theft, Some Victims See Opportunity”, the author highlights several companies, like ours, that provide ID theft protection services. Several of these companies see the use of credit freezes and credit fraud alerts as a panacea for eliminating the threat of identity theft. This is a position that we do not subscribe to. We believe strongly in encouraging consumers to use all appropriate best practices to avoid identity theft, and we provide a product, FraudStop, that provides broader prevention from ID theft by addressing not just credit records, but also other records including real estate, motor vehicles, utilities and the like, all of which can be used by identity thieves.

“Among its peers, LifeLock has attracted the most attention–much of it negative. In radio and television ads, Todd Davis, chief executive of LifeLock, gives out his Social Security number to demonstrate his faith in the service. As a result, he has been hit with repeated identity theft attacks, including one successful effort this summer in which a check-cashing firm gave out a $500 loan to a Texas fraudster without ever checking Davis’ credit report. Last summer, The Phoenix New Times, an Arizona paper, reported that LifeLock’s co-founder, Robert Maynard, had a criminal past. Maynard later resigned.”

But despite the best protection, ID theft does and will occur. Which is why the consumer is best served by a company that can provide them with an expert to handle any identity theft issues. Which is what we do with our staff of personal recovery advocates. Most identity theft protection services companies do not provide recovery services. They do not have teams of trained professionals. They do not see this as important. We obviously do. And so do the over 2.5 million people that rely on our recovery services.

Among other things, the author highlights that identity theft services whose only value is in setting fraud alerts or credit freezes for consumer, are vulnerable to potential legislation.

“[This] business [specifically mentioned were LifeLock, TrustedID, and Debix] is vulnerable if Congress succeeds in pressuring the three major credit agencies to make these theft-fighting measures cheaper and more accessible to consumers. Sen. Charles Schumer, Democrat of New York, criticized the credit companies last month for making identity theft freezes too cumbersome to set and lift. Each of the three credit agencies recently bowed to public pressure and made freezes available in all 50 states.”

But this article is silent on the consumer need for professional ID theft recovery services. It is projected that over 10MM people in the US will fall victim to identity theft in 2008. Identity theft protection services such as ours, and those provided by others in this space, will help in turning this trend. But consumers should be told the truth. There isn’t a silver bullet that will guarantee that you won’t become a victim of identity theft. ID thieves are using increasingly more sophisticated means to steal from you. Which is why if you opt for an identity theft protection service, it should include expert, professional, personal recovery assistance.

by Doug Pollack

The Wall Street Journal this week published an article on synthetic identity theft titled “The Borrower Who Never Was” (Christoper Conkey, October 29, 2007).

It describes how an identity thief named James Rose would create synthetic identities, those that appear real on paper, but were actually used by him in order to trick financial institutions into making loans or issuing credit cards.

“Working with a partner, Mr. Rose tricked the guardians of the credit system — lenders and the three big credit bureaus — into treating his fake identities as if they were real, creditworthy consumers. He obtained several hundred credit cards in the names of Mr. Gregory and as many as 500 other fake personas over two years, filching around $750,000 over a two-year period.”

Unlike more common identity theft, synthetic identities are used primarily to defraud financial institutions without affecting individuals. Mr. Rose noted that their goal was to “make a lot of money without actually hurting people.”

Despite protestations to the contrary, some feel credit bureaus aren’t doing enough to deter identity theft. In the case of synthetic identity theft, it is the knowledge of credit bureau procedures that enable criminals to create and exploit synthetic identities. Evan Hendricks, editor of Privacy Times, notes that “the credit bureaus are at the epicenter of identity theft and there’s no pressure at this point to force them to make changes.”

by Doug Pollack

A recently federally funded study on identity fraud by Utica College’s Center for Identity Management and Information Protection “paints a complex portrait of the signature crime of the digital age, one that has been the top consumer fraud complaint to federal authorities for six consecutive years.”

As described in a recent article titled In Many Major Cases ID Theft isn’t Personal (Joseph Menn, LA Times-Washington Post, 10-22-07), this study challenges a widely held perception that a majority of identity theft cases occur with people that are known to the victim.

Based on 500 individuals arrested by the US Secret Service over the last several years, only 8% were relatives of or acquainted with their victims. The most common tool for identity theft based on this study was any of a variety of technology devices, including credit card encoders, computer printers and telephones, which contributed to 37% of the cases.

This study further reinforces the need for individuals to be very careful with their personal information, and how and when and to whom they disclose it, but also highlights that identity theft can occur even to those people that are consummately careful.