If you are a victim of identity theft you have a right to four (4) free credit reports in the year after you report the fraud. Federal law* gives you those rights. The consumer credit reporting agencies (CRA) don’t really want you to know that. I know people who work at the credit bureaus that aren’t even aware of these rights. Here’s how you get the four free credit reports.

1. Every victim gets a free credit report when reporting fraud. Call the CRA, report that you are a victim, place your initial 90–day fraud alert, and ask for your credit report (this is done using an automated voice response system or online).
2. Get a police report, fill out an FTC fraud affidavit, and send an appropriately worded letter to the CRAs. In the letter, request an extended 7–year fraud alert on your credit file. Once you do that, according to U.S. law, you have a right to two (2) free copies of your credit file disclosure (credit report) in the following 12 months (from each of the 3 CRA).
3. As part of the same Federal law, you have a right to one free credit report every 12 months, regardless of whether you are a victim or not. This is the “free annual credit report” you’ve no doubt heard about. And it is totally separate from the free reports you get as a victim.

So that’s four free reports in one year from each of the three CRA (so actually 12 total reports). That is far better than credit monitoring—and it is totally free. In other words, if you are a victim, paying for a credit monitoring service is expensive overkill.

Now all those laws and procedures are kind of a pain to understand and deal with. It requires sending letters with correct information and remembering all the specific time frames. All this confusion used to play right into the hands of the credit reporting agencies, by serving as a virtual obstacle to you taking advantage of your rights.

Well, don’t worry about it anymore. Because my company, Truston, is going to help you with all that. And all it will require is your email address to get started. Sign up here to get notified when we launch our service.

* The Federal law I refer to is Public Law 108–159, Fair and Accurate Credit Transactions Act of 2003. Which amended the Fair Credit Reporting Act. How do I know all this? I read these laws in my spare time. My misery is your pleasure .

If you are an identity theft victim, there may be times—believe it or not—when your bank should be uncooperative when you are reporting fraud. They should never provide you with sensitive account information after you report fraud, until they have confirmed you are the actual victim. Otherwise, they could be providing sensitive information to the imposter (not you). That is why you will (should) be asked to provide an FTC fraud affidavit and police report to the bank fraud investigator or security officer. They should verify this information and from that point forward assume you are the actual account holder. And they should tell you to place a PIN or password on your accounts. That goes for credit cards, savings accounts, and checking accounts. If they don’t mention the PIN/password, then you should demand it.

A well run bank should have clearly defined internal procedures and processes for dealing with consumer fraud.

WSJ.com has an article about signing for your debit card purchases. Banks are trying to get consumers to use signature-backed transactions versus using your PIN—they can make more money that way. Banks (the card issuers) get a higher fee on these purchases. PIN-backed transactions should actually be less risky for merchants and the issuers, so the fee should be lower all around (often it isn’t, which is scandalous). The article points out that some banks are now providing consumers incentives (both negative and positive) in the form of point-of-sale fees (penalties) if you use your PIN and extra perks if you don’t. What should you do? Well, it depends, but I’m going to rain on the entire parade and tell you to avoid using your debit card altogether (if that’s feasible).

I wrote a blog post on debit cards versus credit cards here. I was shocked to read in the WSJ article that debit cards are one-third of all card transactions. These are generally a bad idea from a security and risk standpoint for consumers. My blog post points out the pros and cons. I do realize that people are too far in debt and misuse their credit cards. So some folks use debit cards to avoid this problem. That’s fair, I suppose. However, if you are someone that pays all your bills every month, I recommend avoiding debit cards for purchases. Your protections are far less robust with debit cards than credit cards.

Update: I don’t think my original post sufficiently displayed the outrage we should all feel if it is true that banks are penalizing their customers for using a PIN with a debit card transaction. It’s a far less risky transaction—for you, the bank (card issuer) and the merchant. A fraudster would have to have stolen your card and the PIN. Debit cards are proven to be far safer at the point of sale. So it is outrageous for your bank to charge you a fee for using a safer transaction. It’s a totally upside down way of looking at it. We’re trying to reduce fraud aren’t we?

GUS, plc, the UK-based parent of Experian, one of the three main U.S. credit reporting companies, has announced plans for Experian’s IPO. In a news release entitled Demerger of ARG and Experian, by October 2006 Experian will be an independent company listed on the London Stock Exchange (and outside the grasp of U.S. regulators such as the SEC). More from GUS:

GUS plc, the retail and business services group, announces that it has commenced posting documents to its shareholders proposing the demerger and public listing of its two remaining businesses, Argos Retail Group (ARG) and Experian.

Subject, inter alia, to shareholder approval, the demerger will result in GUS shareholders receiving one share in each of ARG and Experian for every GUS share they hold. Immediately following the demerger, it is expected that Experian will issue further shares to raise new capital of approximately £800m.

The expected timetable to achieve this is as below:

Tuesday 29 August 2006 EGM to seek shareholder approval for the demerger
Thursday 14 September 2006 Approximate date of publication of ARG and Experian prospectuses
Friday 6 October 2006* Suspension of listing of, and dealings in, GUS shares at 4.30pm
Tuesday 10 October 2006 Demerger becomes effective
Wednesday 11 October 2006 Shares in ARG and Experian commence trading at 8am

GuardMyCreditFile has the story.

Media giant Time Warner (TW) has had to announce that data tapes storing names, addresses and Social Security Numbers have been lost in transit. The tape contained data on current and former Time Warner employees, their families, dependents and beneficiaries. No TW customer information was involved. The company was shipping the tapes to an off-site storage facility run by Iron Mountain, Inc.

Update: Fixed the error in title

The US PIRG blog points out a new blog authored by seven scholars and professors that will focus on bankruptcy and credit called Credit Slips. Nice title. In their own words, it’s a blog about “what does happen and what should happen when consumers and businesses borrow money.” I’m subscribed.

I first reported on a data breach in Hampton, VA here. Now police and local officials are saying they believe that the only people who actually saw any sensitive data were the people who reported it. It takes real nerve to make such a wildly improbable claim—and with apparently no evidence to back it up. This smells like a cover-up or just cluelessness. Does anyone in Hampton, VA even care? Do any security experts that read this blog care to comment?

The TimesDispatch.com has the story.

GuardMyCreditFile reports:

HR 3997, the controversial bill that would stop the states from regulating data breaches, has been placed on hole in the House of Representatives. The bill, written primarily by the financial services industry, was scheduled to be voted on this week by the house. The move is good news consumer and privacy groups. But the bill is not quite dead yet.

HR 3997 would have weakened laws regulating consumer data breaches by replacing strong laws in 34 states with a very weak federal standard. Under the standard that is contained in the bill, companies would be given a choice of whether or not to notify consumers when their data was exposed without authorization. Most consumer groups agree that very few, if any notifications would take place.

My recent post about this is here.

A victim of identity theft recently won a significant award against one CRA and continue her pursuit of justice. Her credit score and in tatters she went after the credit bureaus because after proving herself a victim of ID theft they allegedly did not comply with federal laws. Potomac News reports:

A federal jury has ordered Equifax Information Services LLC to pay a Nokesville woman $351,000 in actual damages from an identity theft lawsuit.

The $45 million lawsuit against three major credit reporting companies, Equifax, TransUnion and Experian Information Solutions and creditor CitiFinancial Inc. was the second in Suzanne Sloane's battle to reclaim her stolen identity.

When the Sloanes discovered that they had been the victims of identity theft, they reported the crimes to the credit reporting companies. Their lawsuit says the three companies continued to show debts incurred by the identity thief on the Sloanes' credit report.

The federal lawsuit against the credit reporting companies also sought about $13 million from CitiFinancial.The suit says CitiFinancial passed one of the accounts Shovana Sloan had opened to debt collection agencies, which then harassed the Sloane family for money that Shovana Sloan had spent.

So after a scan of this article, I am guessing that the CRA’s were alleged to have violated the Fair Credit Reporting Act (if you prove you’re a victim, they have to remove the fraudulent data from your file) and CitiFinancial the Fair Debt Collection Practices Act (if you prove that debt was incurred fraudulently, they can’t continue to sell your debt out to collectors). Anyone with more knowledge of this case care to comment?

It’s tiring trying to keep up with the moving targets that are the new data breach and ID theft bills moving through Congress. But Beth Givens of the Privacy Rights Clearinghouse and Ed Mierzwinski at U.S. PIRG warn consumers that a vote may be approaching next week on HR 3997 (Financial Data Protection Act). This bill covers, among other things, data breach notification and credit freezes. In its current language, it would seriously weaken consumer protection laws nationwide. Although it has improved somewhat since its last incarnation. I will quote from Beth’s newsletter liberally here, because she explains it well. I hope she won’t mind, it’s such an important issue. Please see the PRC web site for details:

Here's why we continue to consider H.R. 3997 to be bad for consumers. At least 34 states have passed laws requiring companies that experience data breaches to notify individuals that their sensitive personal information has been compromised. This enables consumers to take steps to prevent identity theft, such as placing fraud alerts on their three credit reports. The strongest of those state laws, including California's, require that the breached organizations notify individuals in each instance.

H.R. 3997 allows companies to decide whether or not they think the breach will result in harm to individuals before deciding to notify individuals. This is called “trigger language.” We believe this provision will result in many breaches not being disclosed to the affected individuals at all. We don't think companies that experience breaches, especially when SSNs are involved, can foretell the future, at least not at this time. To make matters worse, this bill would pre-empt all of the breach notice laws passed by states, thus wiping out strong consumer protection provisions across the country.

The only good thing to report about H.R. 3997 is that the security freeze provision has been removed. In our previous newsletter , we explained that this bill would only allow victims of identity theft to freeze their credit reports – AFTER the harm has been done. We strongly believe that ALL consumers should have the ability to freeze their credit reports – the ultimate identity theft prevention strategy that individuals have.

Jim at GuardMyCreditFile fires both barrels at Congress pointing a finger at the campaign contributions saying

…And if you want to know why Congress would consider legislation that is so clearly opposed by their constituents, you need look no further than campaign contributions. Two of the bill’s four co-sponsors are on the financial services industries "top 10 list" for campaign donations.

Jim’s blog post has a really cool feature you should check out. If you plug in your address and ZIP, it instantly tells you your US Rep and Senators, without even jumping to another page. And Consumers Union has a web page that makes it very easy to send a message to Congress.

I haven’t yet read the new version of H.R. 3997, but Ed points out:

It also includes a little-noticed provision that immunizes credit bureaus from the so-called credit repair doctor laws, giving them carte blanche to deceive consumers about their over-priced credit monitoring services.

Finally, the PRC, U.R. PIRG, Consumers Union and many others believe that a “competing” bill, HR 4127 is a vastly superior piece of proposed legislation (read their sites to find out why). One of the major reasons I find 4127 attractive is giving all consumers access to secret profiles that are kept on virtually everyone at the many data brokers, as the PRC points out:

H.R. 4127 contains an additional provision that is especially valuable for consumers. It gives individuals new rights to review and dispute information held by the large data brokers such as ChoicePoint and Lexis-Nexis. This industry is unregulated at this time. Yet the data warehouses of information brokers contain detailed profiles on virtually every American adult. It's long overdue for consumers to have access to their data files and to make sure the information is correct.

Update: The U.S. PIRG Consumer Blog says “House Action On Privacy Likely Delayed.”

Update 2: The vote has been delayed.