Not "If" but "When"
- 1. Not “If” but “When” WHAT BUSINESSES SHOULD KNOW ABOUT THE IMPACT OF IDENTITY THEFT ON CONSUMERS Paula Pierce P. Pierce Law, P.C. www.ppiercelaw.com 512-850-4808 #IDTheft
- 2. About the speaker: Paula Pierce has been assisting identity theft victims since 2005 when President GeorgeW. Bush authorized the U.S. Department of Justice to fund four organizations to identify strategies for helping identity theft victims.
- 4. A Brief History of Recent Equifax Breaches • 2016 – Security researcher xOrz reports XSS vulnerability on Equifax’s main website – exposing customer user names, passwords & data. 9/8/17 – it wasn’t fixed. • 5/2016 – Information of 430,000 people stolen because of “lax” security. Court orders Equifax to stop using SSNs/DOBs as PINs to access PII. • 1/2017 – PII of undisclosed number of Lifelock customers leaked by Equifax.
- 5. . . . . . . . • 5/2017 – Equifax reports hack of tax information of an undisclosed number of individuals from its payroll service. Caused by the failing to install the same security patch involved in the current breach. • 9/2017 – Equifax reports compromise of 143,000,000 individuals’ files including SSNs, DOBs, addresses & DL#s + theft of credit card #s of 209,000 people • 10/2017 – Equifax adds another 2M victims to the count – 145,500,000 consumers affected. (Doesn’t include the 700k+ Canadians & Britons whose information was also hacked.)
- 6. What Happened? Failed Security 101: Equifax was running outdated systems and routinely failed to install software security patches.
- 7. Post Event Failures • Breach discovered in July and not reported until September. • Violation of Texas breach notification law:Tex. Bus. & Comm. Code § 521.053(b). • Notify persons whose information was compromised “as quickly as possible.” • Exception: If law enforcement asks company to delay notification. • If individual notice is too expensive, can set up a website for notification. • 48 states & DC have similar breach notification laws.
- 8. . . . . . . . • Initial consumer site didn’t work. • Second try – offered 1 year of monitoring – if consumer waived right to participate in class action suits and agreed to arbitration. • Third try – removed class action and arbitration provisions – requires consumers to enter some of the stolen information and doesn’t provide anything relevant in return. • Tells everyone their information “may” have been impacted.
- 9. Not if, but when . . . • BJS – 17.6 millionAmericans had identities stolen in 2014 • Up from 9 million in 2010 • FTC –Texans are disproportionately affected
- 11. About IDT victims AND WHY DO THEY ACT CRAZY SOMETIMES?
- 12. How do I know if I’m a victim? • Check your credit reports • Pay attention to mail from bill collectors • If you start receiving calls from bill collectors or companies you don’t do business with • Check credit card & bank statements every month • If your bank account is suddenly overdrawn • If you receive a letter saying a warrant is out for your arrest for a crime you did not commit • Fail a criminal background check • Your license is flagged when you go to renew it
- 13. Who are victims? • All ages; although, statistically age 25-35 are at greatest risk due to data breach. • All races, all incomes. • States along drug & human trafficking routes are disproportionately affected. • Elderly disproportionately affected by phishing scams. • Family violence victims also disproportionately affected.
- 14. Why do they yell at my customer service reps? • IDT is intimate – it’s one thing to steal your money entirely another to steal who you are. • Recovery is stressful. No one is helpful or cooperative. • It’s the crime that keeps on keeping on. It’s never over. • Victims of extensive IDT have symptoms of PTSD: sleep disturbance, eating disorders, clinical depression. • Marriages break up, relationships suffer, jobs lost
- 15. Recovering from ID Theft WHAT VICTIMS ARE GOING THROUGH 15
- 16. 3 Steps to Recovery 1. Stop the damage 2. Report the crime 3. Repair accounts & credit 16
- 18. Stop the Damage • Change account numbers • If check fraud, ask your bank to put you in the CANS (Closed Account Notification System) • Set a fraud alert by calling one of the credit bureaus • Get a credit freeze if you are not going to use your credit any time soon 18
- 19. Report the Crime 1. Go to www.ftc.gov/idtheft and make a report online, print it, sign in front of a notary, make lots of copies – this is now an IDT affidavit 2. Report to your local police – where you live NOT where the impostor is using your identity 3. Report to other places, e.g., SSA, US Postal Inspector, IC3, Secret Service, NOT FBI 19
- 21. If it’s not in writing, it doesn’t count! • Do everything in writing! And always attach: • Proof you made a police report • Copy of your government issued ID • Copy of the ID theft affidavit (FTC report signed in front of a notary) 21
- 22. Who to write & what to say • Who to write? • Credit bureaus • Businesses that gave credit to impostor • Collectors who contact you • What to say: • Accounts were made by an impostor, demand they be closed and that your identity be taken off of them • Tell businesses to send you copies of account documents • Tell credit bureaus to block impostor accounts from your credit report
- 23. Friendly Tips • Send correspondence with tracking – fax with confirmation or CMRRR. • Keep copies of everything you send and receive in a file, scanned, in a box – just keep them! • Keep a record of every phone call – time, date, who you talked to, and description of the conversation. • Take care of yourself. ID theft is an intimate crime. Don’t be surprised if you experience emotional stress and fatigue.
- 24. Medical ID Theft/HIPAA Breach • DON’T MENTION IDTHEFT UNTILYOU HAVEYOUR MEDICAL RECORDS! • Order your medical records: • From your own primary care doctor – this is your baseline • From places where the impostor was treated • Compare them • Write places where impostor was treated and ask that impostor’s records be de-identified and marked as John/Jane Doe
- 25. Criminal ID Theft • Go to Sheriff’s Department (Airport just south of Koenig) • Ask for a stolen ID file • They’ll fingerprint you and make you sign a stolen identity affidavit • In the mail you’ll receive a stolen identity letter and PIN • If you are stopped, tell the officer you have a stolen identity file and give the officer your PIN
- 26. If nothing works – be glad you live in Texas • Chapter 521 ofTexas Business and Commerce Code • Application to be declared a victim of identity theft • File application, send notice to creditors by certified mail • Attend a hearing, tell your story • If court finds enough evidence, you get a court order confirming you are a victim.
- 27. Tips for Texas Businesses
- 28. Responsibilities of a Business to Victims •Protect customer info •Know the law: FCRA, FDCPA, 521, HIPAA •Have a breach notification plan •Investigate •Correct information sent to credit bureaus •Cease all collection efforts against victim
- 29. Responsibility of a business after data breach • Check your CGL policy for cybersecurity or breach coverage. • Get legal help! • Notify all customers who were affected. • You are not required to provide credit monitoring. Most businesses do it as a courtesy. • Notify credit bureaus if required by law.
- 30. Online Businesses • Tell users what information you collect and how you’ll use it. • Have protections so that no personal information is collected from children. • Tell users how you’ll protect their information. • Get a lawyer to review your privacy policies because these laws change rapidly.
- 31. For more information Paula Pierce paula@ppiercelaw.com 512-850-4808
Editor's Notes
- #11: From Justice Department’s national drug threat assessment Note that TX is at intersection of 2 major routes Traditional IDT hotspots: Texas, Florida, Arizona