Monday, September 18, 2017

Actions to Consider in Response to the Equifax Data Breach

There are three major credit reporting agencies:  Equifax, Experian, and TransUnion.  According to the Wall Street Journal, there is also a smaller, fourth agency called Innovis.  These companies collect our personal and financial data.  The Equifax website states that it “organizes, assimilates and analyzes data on more than 820 million consumers and more than 91 million businesses worldwide, and its database includes employee data contributed from more than 7,100 employers.”  Whenever we consumers apply for credit, purchase insurance, apply for a job, rent an apartment, purchase the latest cell phone on contract, etc., the businesses we patronize will query the databases of the credit reporting agencies to check our credit scores and history before deciding to do business with us.  The data these agencies collect are precisely the high-quality data that identity thieves crave to wreak havoc in our personal and financial lives.  It therefore came as a shock when we learned a couple weeks ago that the Equifax database was breached by hackers this summer, particularly when it was revealed that there was a software security patch published in March that would have plugged the security hole in the company’s system.  Reportedly the data exposed includes names, Social Security numbers, birth dates, addresses, and driver licenses as well as some credit card numbers and other unidentified data.

So now what do we do?  There have been many articles written in the press about steps you can take to try and protect your online financial accounts and your personal identity.  Based upon my review, here are some steps (not exhaustive) you should consider:

1.      First, go to www.equifaxsecurity2017.com and click the Potential Impact button.  That will link you to a page where you can enter some basic information and find out if your personal information has been exposed.
2.      If your data was exposed, you can enroll in a free year of identity theft protection and credit file monitoring from Equifax in a product called TrustedID Premier.
3.      Go to your online financial accounts and change the challenge questions that you must answer.  Challenge questions appear if you try to log in to your account from a computer that hasn’t been verified with the institution (via a “cookie” on your computer).  Many of these challenge questions can be answered or inferred from the very information that was stolen.  Therefore, it is better to choose more difficult questions that can’t be answered from your now exposed information.
4.      Go to your online financial accounts and sign up for email and text alerts every time there is a transaction, or a change to your username or password, access from a different computer or device, or a change to any other personal account information.  This will allow you to more closely monitor your accounts for fraudulent activity.  But don’t click on any email links as it could be an imposter email.  Instead, login to your online account to review the activity.
5.      Go to your online financial accounts and enroll in two-factor authentication if it isn’t already enabled.  Two-factor authentication requires the entry of a temporary code that is sent by text to your cell phone if there is a log-in attempt from a computer that is unknown to the institution’s website.  Typically you will have accessed your online accounts from your home and work computers and those computers will have been registered with the websites.  The two factors are entering information you know (username and password) and entering a code from something in your personal possession (cell phone).  Since the identity thieves won’t have your cell phone, you have a strong layer of added protection.  Microsoft and Google also have two factor applications which you can use for your different accounts.
6.      If you are not using strong passwords unique to each financial account, you should do so.  Weak passwords are oftentimes based upon personally identifiable information.  To be able to keep track of strong, unique passwords, you need to use a password manager such as LastPass or 1Password among others.  In addition, you may wish to change and strengthen your account usernames which often are just your name or email address.
7.      Set up fraud alerts with the three credit reporting agencies.  You will be alerted if someone applies for credit in your name.  But an alert comes after the fact and is not preventative.  Fraud alerts typically last 90 days and must be renewed for continued coverage.  An extended alert of 7 years requires proof of identity theft.
8.      A more effective action is to freeze your credit history with each of the credit agencies.  The press is reporting that the credit reporting agencies are trying to persuade people to not freeze their credit (maybe because they will lose revenue?).  They emphasize the hassle that you will endure.  If you push ahead, then they try and get you to “lock” instead of “freeze.”  Evidently there is a meaningful difference between the two.  You will need to evaluate the difference to see what is best for you.  Those who have frozen their credit describe the process of temporarily unfreezing as necessary as not being that difficult.  There is typically a small charge for placing the freeze and for temporarily lifting the freeze.  Be sure to consider the freeze for your spouse and children.  Note that a credit freeze does not protect against unauthorized access to your online accounts.
9.      Be careful of suspicious emails or telephone calls purporting to come from Equifax or other companies, or even the police.  If these communications ask you to click on a link, to provide personal information, or to make a payment, it is very likely these contacts will be from scammers.
10. Carefully review monthly statements from your credit card companies, banks, or other financial institutions.  Contact the institution if you see something suspicious, even if it is for a very small amount of money.
11. Check your credit reports often.  You are entitled to a free report once every 12 months from each of the three major credit agencies.  Select one agency every four months.  Use the federally authorized www.annualcreditreport.com website and avoid similarly named websites that try and trick you into a membership or into paying a fee if you don’t cancel within a certain number of days.
12. Keep your computer operating system and antivirus software patched and up-to-date.  Manually click the update buttons every couple of weeks instead of relying completely on automatic updates.  Sometimes there are large updates that aren’t automatically installed.  Do a deep antivirus scan of your computer and attached hard drives every couple of weeks.  Be sure to routinely back up your critical computer data.
13. Get more information at the Identity Theft Resource Center.
14. Implementing these suggestions is time consuming.  However, we must consider that our personal identifying information is now readily available to bad actors.  Therefore, acting sooner rather than later is important in preventing problems in the future.