The latest breach of up to 18 million or more federal government employee files held by U.S. OPM is an example of everything that's wrong with data security and data breach response mechanisms today. Agencies and companies hold too much information for too long and don't protect it adequately. Then, they wait months before informing victims. Then, they make things worse by offering weak, short-term help such as credit monitoring. Our main message: your best protection against identity theft is the security freeze, not the often-offered, under-achieving credit monitoring.
Worse, Senators and Representatives are investigating OPM's credit monitoring vendor over complaints about its service. Senator Mark Warner (VA) has been very critical of credit monitoring vendor CSID and its subcontractors. As the Washington Post explains, "Looking for help after the federal employee hack? Prepare to spend a few hours on hold." The Post quotes Senator Warner:
“Information has come to light that raises questions about OPM’s awarding of this $20 million contract to CSID, and whether CSID has the expertise and capacity to provide the services for which it was contracted,” Warner said in a letter sent Friday [to OPM chief Archuleta]."
Tips for Data Breach Victims
The FTC's tips for OPM victims apply to anyone. First steps: look at your free credit report and place (also free) fraud alerts on each of your three credit reports.
Also remember our own data hygiene tips:
1) The strongest prevention against "new account" ID theft after a breach is a security freeze, not credit monitoring.
A security freeze prevents your credit report from being shared with potential new creditors. If a thief applies for a new account in your name, but your credit report is “frozen,” creditors will simply not open a new account. A security freeze offers peace of mind, although it does comes with a modest cost ($5-10 one-time to place a freeze on each of your three credit reports; plus the same amount to "unfreeze" each report each time you do you want to apply for credit). Also, using the freeze requires planning, since when you want to apply for credit, you will need to selectively or temporarily unfreeze your credit reports. A few states offer free security freezes for identity theft victims or senior citizens. We campaigned to pass those security freeze laws in nearly every state. For more information, learn more here on all the state laws from our campaign partner Consumer Reports.
2) Credit Monitoring Doesn't Stop Identity Theft:
U.S. OPM and many other breached agencies or firms offer credit monitoring for a year or 18 months. It doesn't stop financial identity theft although it may give you clues after it is too late (and it does nothing in the simple retailer store breaches where only your stolen credit or debit card number is used to commit "existing account" fraud). Further, threats loom well after 18 months. Nevertheless, don't pay for credit monitoring or similar identity theft defense subscriptions, which can cost up to $20/month or more. Under federal law, you can access each of your three national credit reports (Equifax, Experian and Trans Union) for free each year even if you are not a breach victim. If you stagger a request for one of the three every 4 months or so, you've got free credit monitoring. Find out more and how from the U.S. Federal Trade Commission (FTC), including about imposter sites and about additional free report rights for victims.
3) Keep Your Virus Software and Firewalls On High, Then Monitor All Your Own Accounts and Use Robust (How about R0bu$t#&173?) Passwords:
It's up to you to use good data security practices at home and work. Then, be sure to monitor your own accounts regularly for disparities. If offered, set up text alerts to warn you of large withdrawals from or large balances on your accounts. Use two-factor authentication when available. In the meantime, use different passwords for different accounts, and keep them robust, not simple. Use 8-12 characters minimum, and combine numbers, upper and lower case letters and where allowed, special characters (such as &, %, $, #). Use two-factor authentication when offered.
4) Watch For Phishing Scams and Don't Click Email Links
Credit card numbers have short bad-guy shelf lives but Social Security Numbers and other personal details remain valuable for years. Thieves will also take advantage of the tons of information (your birth date, mother's maiden name, your dog's name, your home town) now available in a two-second google-search and combine it with information from a previous breach (your Social Security Number and workplace, e.g.) for sale on an underground network. If they don't have all the information they need to commit the crime they seek (financial identity theft, tax refund fraud, medical services theft), they will send a phishing email or contact you on the phone to try to impress you with what they already know (“come on, I know so much, I must be legitimate”), so that they can get more. This is called social engineering. If someone calls you and says “I am from your bank,” hang up and call the number on your card, not the number they give you. And certainly don’t click on any links in any email or call the number listed allegedly “from your bank” or other firm. More of our advice on phishing is here.
5) Learn More Identity Theft Tips and Victim Cleanup Tips from the FTC:
You can trust the following identity theft advice from the FTC at https://www.identitytheft.gov/where you can also find out how to resolve problems beyond typical identity theft, ranging from tax refund theft, medical services theft and child ID theft to clearing your name of false criminal charges caused by the imposter.
6) Other Problems Require Further Action:
Unfortunately, the potential harms from data breaches such as the OPM breach or health insurer breaches are much broader than financial identity theft. We cannot provide advice for all these problems but wanted to warn you of their severity. These harms include using security clearance details to threaten reputation risk and embarrassment, denial of future jobs or insurance coverage or even to threaten extortion or stalking.
You may have state law rights to assert claims against these harms. Unfortunately, instead of focusing on requiring improved data security and improved victim rights, Congress is spending time working on data breach response bills. Any bill likely to pass Congress is weaker than most existing state laws and would also eliminate any stronger state data security laws and narrow the definition of harms victims are protected against. Instead of seeking to overturn strong state breach notice and data security laws, Congress should be working to make security freezes easier to use and free. Our recent data breach testimony to Congress is here. Our coalition letter opposing weak federal data breach and data security proposals is here.