Identity Theft and the Dead

I remember explaining to a group of people one time that “your credit does not stop just because you died.”  There were a number of very shocked people in that room.  I was responding to a question from a woman whose husband had passed away two years earlier.  She was upset because she was receiving phone calls from collection agencies about debts that were created after her husband had passed.

Many people believe that once you die all of your accounts just disappear.  They don’t realize the steps needed to shut down both the accounts and the identity. To close the accounts you need to send a copy of the death certificate and a letter explaining the situation to each of the creditors.  This also includes those credit accounts that are open but have a zero balance.  The next step is to send a photocopy of the death certificate to the three Credit Reporting Agencies so they will mark the file as deceased.

To shut down some of the governmental records you need to send the death certificate to the Social Security Administration. Most of the time this step is only used by the surviving spouse to collect the survivor benefit.

Now we have a study from ID Analytics that shows how 2.5 million deceased people have had their identities used for fraud and work purposes. Does this really surprise anyone? In 2004 there was a report that in one State, during a one month period, 140 deceased people applied for drivers licenses. 

There are numerous stories of persons that have had their identity taken and used after their death.  Many of those stories come from the surviving family who are dealing with the fallout of the imposters actions.  It is in many ways almost as painful for families as the loss of the loved one. Time does not ease the pain of these issues, it cause them to multiply.  With the each fraudulent account there is a possibility of dealing with as many as 4 collection agencies that are involved.

One more aspect of the crime of identity theft and the deceased is that it is not unheard of to find that the perpetrator is from the deceased’s own family or circle of friends. There are many different solutions to the problem of identity theft.  None of the solutions are all encompassing or can be put in place as simply or easily as most of us would like.  This will be a long time fixing the problems and then fixing the fixes.

Data Breaches in the Medical Community

The recent study commissioned by Kroll Advisory Solutions shows a clear increase in data breaches. 27% of the respondents stated they had at least one security breach during the past year, this is up from 19% in 2010.  Respondents indicated 79% were attributed to employees, while many of the others were due to the actions of outsourced or contract employees. More than half of the problems were identified as unauthorized access to data, such a patient name and date of birth, by an outside individual.

The survey found 27% of the respondents had at least one security breach over the past year, up from 19% in 2010 and 13% in 2008. The survey found 79% were attributed to employees, while most others were chalked up to actions from outsourced or contract employees. Over half of the problems were identified as "unauthorized access to information," typically the patient's name and birth date, by an individual.

From the study it was reported that paper breaches including improper destruction happened over 40% of the time.  The survey reported that computer security issues were increasing rapidly.  This was identified problems around the use or loss of laptops or portable handheld devices 22% of the time. Data breach problems from third party vendors retaining healthcare data rose to 10% up from 6% in 2010.  The network breaches due to outside attacks were reported about 3%.

From the report 31% felt that information available on a portable device was a factor most likely to to contribute to the risk of a breach. In 2010 the estimate was 20%.  Twenty two percent of those who responded said the data was compromised when a laptop, handheld device or computer hard drive was lost or stolen, which is twice the number who said this in 2010.

The following is an excerpt from an article by Ellen Messmer at Network World.

The report says the vast majority of healthcare institutions conduct formal risk analysis, relying mainly on federal guidelines such as CMS Meaningful Use requirements and the National Institute of Standards and Technology. The goal is to comply with the mandates of the American Recovery and Reinvestment Act of 2009, which includes funding for healthcare records, and the HITECH Act, which contains penalties for security lapses related to misuse of patient healthcare information.

The report says almost all the survey's respondents had taken steps to prepare their hospitals and medical centers for a possible federally-run Office of Civil Rights HIPAA audit. Four percent had been audited and 90% in this case indicated they'd try to prepare better in the future. Two percent of all respondents said their organization had been fined as a result of a HIPAA violation.

The key here is in the very last sentence. Those organizations that were fined for HIPPAA violations also faced the threat of prolonged legal action.  The organization that does not take the steps to eliminate the risk gambles its own future.  The cost of controlling the data is one thing.  The cost of protecting the data is another that cannot be ignored.

The Question of Legislation

The State of Maryland has passed and sent to the Governor an interesting piece of legislation.  It will allow parents to freeze their children’s credit report. It will allow parents to freeze something that is not supposed to exist.  So if there is no file what does the parent do?  Keep checking back every year until they find that the file has been created?  The effort and desire to do something good for children has produced something that will be marginally effective at best. 

The correct way to protect the children would be to have the Social Security Administration supply the name and SSNs for all the children to the three credit reporting agencies.  This file would be automatically checked anytime a request for credit report was made of the CRAs. If no file is found the CRA could then check the list of minors.  It would protect all of the minors without the parents having to do anything special.

There is one clear problem with a sign up system. For some of the children the person who should be signing them up will be the person stealing the child’s identity. The children who need the protection most are under the control of the perpetrator.

When we first started looking into the issue of child identity theft the first group we ran into were foster children who were aging out of the foster care system.  Soon after, we discovered that children who were in close proximity to drug users often found themselves to be victims.

Our original suggestion was that the SSA would share the list of minors with the three CRAs and the Department of Motor vehicles for all the States and Territories.  We suggested that because we had discovered that some of the stolen identities were used to get replacement drivers licenses. One of the cases involved a father who had lost his driver’s license due to multiple DUI.

I applaud the desire to help children avoid becoming victims of identity theft. From what I have seen there is a need.  It is however a need that must be fixed the right way.  There are too many mistakes that can come from rushing a fix into place.   

Cell Phone Database to Fight Identity Theft

A joint venture by several of the large cell phone providers is going to help people avoid identity theft.  They are building a database of lost and stolen cellphones with the intent of blocking the phone being reactivated.  The wireless companies are making this effort in a positive attempt to block cell phone thieves from using the stolen phone. 

The core idea is in to help keep the owner's personal information out of the hands of the person who steals or finds the phone. The cell phone will have an identifying code assigned to it that will allow providers to deactivate the phone and stop it from being used again once it reported lost or stolen. Anyone trying to reverse engineer or hack the code should face serious legal troubles. 

Customers with AT&T, Sprint-Nextel, T-Mobile, and Verizon will have the protection. The Federal Communications Commission believes the database will be ready to launch sometime around October.

Having No Fun With The IRS

There are multiple stories of tax time problems and issues.  With each tale we hear more of the difficulties that the victim goes through.  The outraged cries of why does this happen ring across the country.  There must be a way to protect myself and my family from this kind of identity theft!

Time for a reality check. The IRS system is designed to collect tax monies from employers and then refund the over collection upon the delivery of a return.  They are not in the practice of validating the SSN with the person.  They operate on the simple belief that each of the tax returns they receive are valid because it would make the whole system collapse if they had to screen each for authenticity.  With the hundreds of fraudulent returns that are reported last year or this, there are millions of valid returns.  Imagine trying to validate millions of returns, as fast as possible so you can generate the return and get it to the proper party.

One of the largest problems could be solved by combining the data of the SSA with IRS. The problem is by combining those two organizations you will be one large step closer to George Orwell’s 1984 society.  The more information in one place, under the control of one large government agency, the greater the chance of it being misused.  It is a very fine line to walk between effective and the issue of big brother.

There will be many conversations within and around the parties concerned about this problem before we start seeing changes.  For me that is a comforting thought because it is change that is not thought out that sparks new problems.

One More Time into the Breach

In a recent article, by Neil Versel in Information Week, two of the more recent breaches for the medical industry are discussed.  The key point made in the article was that for both groups the data was not encrypted.  For Howard University Hospital the data was downloaded by a subcontractor who took it off site.  For the other breach, the State of California Department of Child Support Services, were shipping backup tapes by a commercial carrier for some off site testing.

For years now I have been talking about the need for encryption as a data protection tool.  You let data leave your control, then the people who you have entrusted it to better have the same if not better protection for than you do.  Without encryption every entity that loses control of the data must inform those whose data was exposed. 

The fact that seven years after Choicepoint  became the poster child for breaches, we still have companies and agencies that do not encrypt the data.  That still allows subcontractors to take the data off site in unsecure fashions.  That does not have a plan in place for dealing with an information breach is unrealistic.  There is no one who is exempt from data theft or loss.  Why should anyone think that the rules don’t apply to them?

The information on the article in Information Week is below.

 2 Healthcare Data Breaches Show Importance Of Encryption

Patient data from Howard University Hospital and California Department of Child Support Services wasn't fully encrypted, and one security expert wants to know why.
 By Neil Versel  InformationWeek 
http://www.informationweek.com/news/healthcare/security-privacy/232800389
 April 05, 2012 04:35 PM

Skimmers Stike Again

The Federal authorities in Nevada announced an indictment that accuses 13 California residents of participating in an identity-theft scheme that employed electronic skimmers at ATMs around Las Vegas to illegally capture data from credit and debit cards.

 The unique use of the skimmers in this case was the fact that the skimmers were mounted into exterior door readers at Chase bank branches in the valley. To gain after hour access to the ATM machines the customer has to swipe their card in a door reader.  The indictment charges that the defendant’s  also installed a pinhole camera on the ATM pin pads to capture the account holders’ personal identification number (PIN).

The door skimmers captured account holders’ data, including account numbers, names and card expiration dates. This information, along with the captured PIN’s, allowed the defendants to create and use counterfeit credit cards.

This is the reason that I always use one of the tools God gave me before I stick card in any machine.  I first stick my finger in the opening and move it around.  If the slot moves in any way I will never stick my card in it.

The Next Big Opps.

MasterCard  and Visa, working with Law Enforcement, are investigating a breach of information from a third party card processing company.  The breach may have exposed up to 1.5 million credit card numbers and holders.  The consumers now get to watch their statements for charges they don’t recognize and didn’t make.  Businesses get to deal with the loss of goods and services to the thieves using the stolen data. The credit card companies get to monitor the activity and try to shut down the fraudulent charges or deal with the financial loss.

The interesting part of this is if you asked the normal consumer who the third party company is or what they do, you will get a blank look or a shrug of the shoulders.  The third parties are the unknown element in the business loop.  The customer knows the merchant and the credit card company / bank but they have no idea of how many others are parts of the loop.

The problem is when one of the background companies has a failure that exposes the data the message the consumer receives will be diluted and vague.  The diluted message doesn’t clearly inform the consumer that the data is theirs or the proper steps to mitigate the loss and quite normally there will not be a clear explanation of what has happened.  Because there is not a clear connection between the company, and a vendor they used, who lost the data the focus falls on the merchant.

This is and will continue to be a very costly problem until each group steps up and put in place the needed things to reduce the damages.  The Businesses need to hold their venders responsible for the security of the data that passes through their systems.  The processors need to use up to date encryption software to eliminate the potential easy score of data. The Banks and Card companies need to keep their security standards up.  For the consumer they need to be aware of their personal information and where it is shared.

Until  the day we all pull together the thieves will continue to succeed.