Intro

Every day, data is collected from each of us, usually without our knowledge and sometimes even without our consent. Think about a typical day in your life. You pay your bills and buy things with your credit cards and checks, leaving a data trail that shows what you bought, when you bought it, how much you paid, and (if you’re shopping online), what other stuff you looked at. You swipe your supermarket loyalty card when buying groceries, contributing to a massive database that tracks what you bought and when. You drive your car through an electronic tollbooth, where your account is debited and your trips are tracked. At home or work, you surf the Web, make online purchases, and IM your best friend. Every action you take adds to your growing trail of mouse clicks and other data.

And it doesn’t stop there. At times, you might also subscribe to a new magazine, sign up for a music club, fill out a warranty card, donate money to a charity, register to vote, buy a hot stock, make a telephone call, or visit your dentist. All of these transactions leave a data trail.

No matter who collects information about you or where it’s stored, you can count on one thing—data aggregators will find it. These aggregators (also known as data brokers, data miners, and data merchants), make billions by collecting every morsel of personal, professional, financial, and medical information they can dig up about people, and then selling it for profit—probably multiple times.

For the most part, data aggregation isn’t harmful. In fact, it helps companies provide better goods and services to consumers, and helps employers, insurers, and lenders make better decisions faster. This results in the conveniences we’ve come to rely on, such as instant loans, quick insurance quotes, and targeted coupons and advertisements.

However, there’s a dark side to having your personal information so easily accessible, as we’ll describe in this chapter. We’ll also show you how simple awareness and a few precautions will help you can enjoy the convenience of modern technologies without compromising your identity.

Behind the Scenes: How Your Data Gets Collected

Even before the age of computers, businesses began keeping detailed records of their customers, for reasons ranging from recommending other products to chasing after an unreturned video. Schools have long kept records of their students and alumni, government agencies have maintained records of people they’ve served, and doctors have kept notes on illnesses and medications. The difference now is that they’re all putting this information onto computers or online databases.

Added to that, the Internet has introduced the ability to track your movements, quite apart from the basic data you enter. Everywhere we go, we’re tracked by Internet cookies. Online companies such as Google, Microsoft, and Yahoo take note of what products, entertainment, and music people like and what they search for, so that they can boost their online advertising revenue.

Enter the aggregators, who have fashioned themselves as central collection points for all this information. There are thousands of them, large and small, currently operating in the United States. Before today, you may not have heard the names Acxiom and LexisNexis, but you can bet they’d heard of you. In fact, they and other aggregators (including the credit bureaus) probably have pages-long files of your personal information. And this is despite the fact that you’ve probably never directly given them permission to gather this data in the first place. How exactly do they get it?

Much of the information gathered and sold by data brokers comes from public records—courthouses, county tax assessors, and Department of Motor Vehicle databases—many of which have inadequate restrictions on how the information is secured. For example, a 2008 audit showed that Colorado’s Division of Motor Vehicles regularly sends personal information over the Internet without encryption and inadequately limits access to its databases. Even Social Security numbers can be readily accessed from some public records.

Omitted from sample chapter: USA Today Snapshots: Specialists in Spam chart

Data aggregators are also willing to pay for personal information (some of which you might have thought was private). That’s how they get pieces of data like unpublished phone and cell numbers, phone records, and customer lists from companies like Capital One and Hilton Hotels.

Although you may think you’re being careful about who you give your personal information to, handing a tidbit of data to one business or person may quickly put it into the hands of others. Consider your email inbox. If you’re bombarded by spam, it could partly be because you gave your email address to a Web-based company. When you give out your telephone number or address, the same thing happens. You may think your cell phone is officially unlisted, but if you’ve ever used it to order a pizza, the pizza delivery company may have sold it.

Omitted from sample chapter: USA Today Snapshots: Internet use up for young and old chart

While most data aggregation companies play by the rules in gathering information, some data resellers have been caught breaking them. It’s not uncommon for these companies to use private investigators to dig up personal facts, who sometimes tell outright lies in order to obtain confidential information.

Who They Sell Your Data To

The snapshot that data aggregators create of you—or pieces of that snapshot—will be sold countless times in your lifetime. Most of the aggregators’ customers are legitimate: Banks and landlords buy information to ensure that their applicants are creditworthy. The police use it to track down criminals and terrorists. Marketers use customer data to help develop products and promotions appealing to specific customer segments.

Sometimes, data aggregators actually sell government and business organizations the very same information collected from them in the first place. With government agencies notoriously inefficient at sharing information, the U.S. government spent an estimated $30 million in 2005 buying personal data in order to locate witnesses, track terrorist groups, conduct research, and locate people for various reasons, including collecting child support, settling outstanding debts, or warning people they’d been exposed to certain viruses.

Of course, the aggregators’ customers also include criminals planning to commit identity theft. The media contains many stories about how someone’s personal information was lost, stolen, or otherwise compromised due to misuses of aggregated personal information—like in May 2007, when The New York Times reported that consumer data broker InfoUSA made huge profits selling lists of senior citizens and other easy targets to possible identity thieves and con artists. Particularly damning was that, according to the article, one of InfoUSA’s lists of names proclaimed: “These people are gullible. They want to believe that their luck can change.”

As that example shows, the identity thief may not start out targeting you personally. Data aggregators can supply lists of potential victims. For example, a list of 601 charity donors in Pleasanton, California, can be purchased from USAData for $75. A list of 36,000 people who earn more than $150,000 per year in New York City, including names and phone numbers, runs a mere $1,800.

Most aggregators don’t intentionally sell to thieves, but nor do they make it terribly difficult for thieves to pose as legitimate customers. To deal with the problem, the larger data aggregation companies have embarked on a policy of not selling consumer information to individuals, and being increasingly careful about whom they provide certain types of information to.

However, there are plenty of smaller data resellers out there who don’t follow such policies. For example, many private investigation companies use data aggregators to get the “dirt” on people they’re hired to investigate. Specialized data aggregators such as ExcellentDetective.com sell unlisted phone numbers, birth dates, attorney records, DUI files, and much more. Their online advertisement might be tempting to more people than honest detectives: “Just think of all the dirt & secrets you could get on your friends, family, coworkers, and even your neighbors with Excellent Detective by joining right now.”

Other companies like Abika.com offer to identify the physical address, including street name, behind an email or instant message. Gum-shoes.com promises that “if the information is out there, our licensed investigators can find it.”

The upshot is that, for just a few dollars, an identity thief can piece together enough information to steal your identity. Your address might cost a quarter. Got an unpublished phone number? That’ll cost about $20. Your Social Security number might go for $10. And $50 would buy a complete background check, including your date of birth, phone number, address, employer, property records, and perhaps even a list of your roommates and relatives.

What’s more, identity thieves can buy far more than your basic data. The aggregators can tell them what your mortgage payments are, where you shop, how much money you owe on your car loan, what bank you use, whether you subscribe to Good Housekeeping or Playboy, and whether you’re more likely to visit Las Vegas or Dubai. Armed with all this information, a criminal could conduct a highly targeted identity theft scam against you personally, such as phishing or pretexting.

For example, if a phisher learns that you owe $2,000 on your Honda Civic, you might receive an email that looks just like the ones you get from your lender and includes language like: “Click here to lower your Honda Civic payments from $2,000 to $1,000.” Because the message includes accurate details about your loan, you’re more likely to be duped.

Omitted from sample chapter: USA Today Snapshots: Searching for jobs online chart

Are there any restrictions on who can look at your data? Yes, although they cover only credit records, and even these restrictions aren’t always upheld. The Federal Fair Credit Reporting Act requires that your credit record be provided only to those with legitimate business purposes, including lenders, landlords, employers, insurance providers, and government and law enforcement agencies. Of these, only employers are legally required to get your written permission, although most potential creditors, insurers, and landlords pull your report only after you’ve submitted an application. Still, it’s well known in the data aggregation industry that many data resellers simply rely on their customers’ word that they have a legitimate business need.

Omitted from sample chapter: USA Today Snapshots: When information has been exposed chart

Also, the CRAs create massive files of personal information about you, which they package as credit reports, consumer reports, and marketing lists and sell to lenders, merchants, landlords, and other businesses. Once the information is out of your credit file and in the hands of private businesses, there is little regulation of how it can be used or shared.

Can Someone Really Buy Your Social Security Number?

Perhaps the biggest concern for consumers is that Social Security numbers, the key ingredients for identity theft, can be purchased through data aggregators. Many schools, insurance companies, and doctors’ offices still use the Social Security number as your account number, and then share your records with data aggregators. It doesn’t take a genius to figure out what your nine-digit account number represents. And data aggregators themselves—particularly credit reporting agencies—use your SSN to help link pieces of your consumer file together, like your driver’s license record, credit card account activity, and employment history.

To make matters worse, SSNs are sometimes made publicly available due to the lax security practices of private and government organizations. For three years, the California Secretary of State’s office routinely placed thousands of documents containing Social Security numbers on the Internet and then sold them to the public for $6 each. (When the security breach was discovered in 2006, officials shut the site down immediately.) In addition, many local government agencies have been known to write Social Security numbers on tax liens and other public records.

Omitted from sample chapter: USA Today Snapshots: Who should be held legally responsible for corporate data security chart

No law prohibits Social Security numbers from being bought and sold, so it’s unlikely that ChoicePoint and other data aggregators will stop selling them anytime soon. For this reason, you should treat your SSN like it’s your bank account PIN. Unless it’s absolutely necessary and requested by a legitimate organization for a legitimate reason (we’ll dive deeper into this later in this chapter), always refuse to give it out.

Will Data Protections Improve Anytime Soon?

Existing laws and rules on how information can be bought and sold are ill-suited to protecting consumers. Because many identity theft cases and data breaches have been linked to privacy flaws in the data aggregation industry, major data aggregators, such as LexisNexis and Experian, have promised to restrict the availability of such data.

This is good news. As a result of reforms by the major data aggregators, the majority of the data is now collected for legitimate purposes: for employment screening, insurance underwriting, credit checks, debt collection, and law enforcement agencies. In addition, most reputable data aggregators restrict who can gain access to sensitive data like Social Security numbers. And most companies claim to thoroughly screen their customers before releasing your data to them.

Omitted from sample chapter: USA Today Snapshots: What the boss might see chart

However, as various breaches and investigations have shown, plenty of holes remain in the data aggregation system, raising questions about the tradeoffs we accept when we fill out a form or sign up for a free service.

Are You Giving Out More Data Than You Need To?

When it comes to leaks of your data, you may have to share the guilt. Many consumers say that privacy is important to them, but then hand over vital personal information as soon as someone asks for it.

Google’s Gmail service is a good example. In 2004, when Gmail launched, many people laughed. Who would sign up for an email service that would scan your emails and send you ads based on what those emails said? Surely they’d be too concerned about potential privacy. The scoffers were wrong. Today, Gmail is booming with millions of happy, privacy-free users. (And, to be fair, Gmail is fairly safe; while Google shares your surfing habits with other companies and organizations, it doesn’t sell personally identifiable information.)

Whenever you sign up with a company for a service that requires a password (such as Gmail, My Yahoo, or a personalized search), you’re handing over the keys to your online identity. For example, if you sign up for Google’s Desktop Search, you’ll be able to quickly and easily search files stored on your computer—and so will Google, and anyone who manages to breach its security.

Omitted from sample chapter: USA Today Snapshots: Most think employers protect personal information chart

Many consumers behave in ways that seem to directly contradict their demands for privacy online. They post private information, photos, and personal files on public websites, especially social networking sites. Identity thieves can use these to create “identity packets,” which help them conduct pretexting and phishing scams.

But even for the careful consumers, it’s hard to avoid the conclusion that data brokers, corporations, and the government know more about you than you think—or would like. So what should you do? Everything in your power to take control of your data!

Taking Control of Your Data

A legislative solution reining in the data aggregators may be far down the road, so how can you protect yourself in the meantime? The short answer is to be careful and guarded with your information, and take action to protect it any time you feel it may be at risk.

By now, you know that you’re allowed a free credit report from the three major credit reporting bureaus once a year. (If you forgot how to order it, go back to Chapter 3.) That’s one good way to check for identity theft, no matter where the thief got the information about you.

Here are the best ways to limit the amount of information circulating about you:

• Opt out of marketing lists. The big-three credit bureaus (Equifax, TransUnion, and Experian) make a pretty penny selling your information to credit card companies, who then send you preapproved applications. To remove your name from their marketing lists, simply call their opt-out line: 888-567-8688, or visit www.optoutprescreen.com. You can choose to remove your name permanently or for a two-year period.
• Provide your Social Security number only when absolutely necessary. It may seem like everyone asks you for your Social Security number. Just say no, unless there’s no other option. For example, when filling out tax forms, applying for a job, or opening a financial account, you’ll need to provide it. But if a school, medical office, marketer, or business asks you for the number, always ask why it’s required, how it will be used, what will happen if you don’t provide it, and whether you can create an alternate number to identify your file or account.
• Sign up for the Direct Marketing Association’s (DMA) Mail Preference Service. The DMA manages a Mail Preference Service that allows you to opt out of receiving direct mail marketing from participating companies for five years. When you sign up, your name is added to a “delete” list and sent to direct mail marketers. To register, send a letter to: Direct Marketing Association, Mail Preference Service, P.O. Box 643, Carmel, NY, 10512; or register online at www.the-dma.org/consumers/offmailinglist. html. (Unfortunately, registering also means you’ll stop receiving catalogs from places you like.)
• Opt out of telemarketing. Enroll in the Federal Trade Commission’s Do Not Call registry by visiting www.donotcall.gov or calling 888-382-1222. This prevents companies from selling your information to at least some others.
• Review privacy policies whenever you visit websites. Your favorite online surfing spots can collect a lot of information about your visit—what model of computer you use, what other sites you’ve visited, what searches you conducted, and much more. Sites that ask you to provide even a small amount of personal information can combine bits and pieces of information about you over time to create a snapshot of your online habits. Before providing any information, wade through the site’s privacy policy to find out how the company collects, shares, and protects your personal information, then decide whether it’s worth the exchange.
• Don’t fill out surveys on warranty cards. Simply provide your name, address, and necessary product information—you’re not required to complete the surveys. Be especially careful with direct mail surveys from companies you don’t know or trust.
• Don’t give out sensitive information. This means on the phone, through the mail, or over the Internet, unless you’ve initiated the contact or you’re sure that it’s from a company or organization you trust. When in doubt, contact the company to verify its legitimacy. Even then, provide only the information you know they need to know.

If you wish, you can also find out what sort of consumer data is being compiled on you, including about your employment, rental, and medical history. The list below includes the companies most likely to have the scoop on your habits and history. While not all of these organizations will have records on you, you’ll likely be on file at many of them. For a small fee, you can order your consumer files. If you find major errors, you may want to dispute them. (It may not make a huge difference to your chances of becoming an identity theft victim; but if, for instance, you’re applying for a Catholic school teaching job, you don’t want your background check erroneously reporting that you’ve worked at a strip club for the past five years.)

Omitted from sample chapter: Companies That Compile Consumer Information chart

Defending Yourself Against Data Breaches

Despite your best efforts, you might read in the paper—or get an actual letter informing you—that a database containing your name has been breached. Through no fault of your own, such breaches can deliver personal information such as your name, Social Security number, driver’s license number, bank or credit account numbers, Personal Identification Numbers (PIN), passwords, or medical information, into the hands of identity thieves.

Approximately 49 million American adults have been informed over the last three years that their personal information had been lost, stolen, or improperly disclosed. (Source: Survey by Harris Interactive.) The majority of these notifications came from government agencies and financial institutions. For example:

• A U.S. Transportation Security Administration vendor reported that a laptop containing unencrypted personal records of 33,000 customers seeking to enroll in the company’s Registered Traveler program was stolen in August 2008.
• A laptop containing the names, birthdays, and Social Security numbers of more than 26 million military veterans was stolen from the home of an employee at the Department of Veterans Affairs (VA) in 2006.
• A data intrusion into the Hannaford supermarket chain’s network in March 2008 exposed nearly 4.2 million credit and debit cards and led to 1,800 reported cases of fraud.
• Harvard University notified 10,000 applicants in March of 2008 that their Social Security numbers and other personal data may have been accessed by hackers through a file-sharing site.
• The Department of Justice indicted 11 people in 2008 for hacking into the databases of several major U.S. retailers—OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, Marshalls, and TJ Maxx. More than 40 million credit and debit card numbers were stolen.

Fortunately, not all data breaches result in identity theft. But if you find out that a breach has occured, it’s in your interest to take precautions. Here’s how:

• Take notifications seriously. Thanks to state laws and company policies, many organizations notify victims after a data breach has occurred. Be sure to read this correspondence and take advantage of any assistance (such as free credit monitoring) they might offer. If you have questions, call the organization’s customer service line.
• Freeze your credit as soon as you hear about the breach. A credit freeze blocks access to your credit file unless you authorize the credit bureaus to release your report. This dramatically reduces your chances of becoming a victim.