The Equifax Breach, and what you should do to protect your credit

While this post is not, strictly speaking, on the “Entertainment Law” beat,  several clients asked me about it, and I addressed their concerns in my e-newsletter (sign up in the sidebar).  On recommendation from a friend, I'm reposting it here as a service to readers.

DISCLAIMER: I'm not a data-security expert, and the above should not be considered legal advice. This is not an exhaustive list of recommendations. If you deal with sensitive, confidential or private information, it's your responsibility to ensure you're following prescribed protocols. If you need help, contact me, and I'll be happy to refer you to a qualified expert.

By now, you've certainly heard that credit reporting company Equifax suffered a massive data breach over the past few months, and that means that we are all much more vulnerable to identity theft. According to news reports, the breach affects somewhere around 143 Million people… nearly half of the U.S. Population. The hackers not only got identities, they also stole addresses, Social Security numbers, birth dates and driver’s license numbers, and even some folks' credit card numbers.

A few of my clients and friends have asked me what they can do to protect themselves. Here's what I've learned.

First, take a few minutes to “Freeze” your credit by visiting Equifax's web-based tool at freeze.equifax.com. Apparently, the company is waiving its usual fees for implementing a freeze. This automated tool has been giving some users error messages, so you can also submit your request in writing to this address and supply the same information, by following these instructions:

Equifax Security Freeze
P.O. Box 105788
Atlanta, Georgia 30348

Note: I strongly recommend AGAINST enrolling in any program offered by Equifax that requires you to agree to an arbitration clause, or which purports to limit the bureau's liability. They currently claim they're not requiring this, but be sure to read the full terms to make sure you're not limiting your ability to seek redress if you suffer damages.

Next, visit the other credit bureaus:

Experian (https://www.experian.com/freeze/center.html)

and

TransUnion (https://freeze.transunion.com/sf/securityFreeze/).

(which will cost around $10 per bureau)

Once you've finished, though, your credit will be frozen, and nobody will be able to apply for credit in your name and using your social security number, etc.

Freezing your credit is a great way to stop thieves or computer errors from messing up your credit history. But it's also somewhat of a hassle, since any time you legitimately want to apply for credit, you'll have to “thaw” things by contacting the bureaus and providing a verification of your identity, PIN, etc.

If a freeze will be too unwieldy another option is a Fraud Alert. Where a Freeze locks-down access to your credit altogether, A fraud alert allows creditors to get a copy of your credit report as long as they take steps to verify your identity. For example, if you provide a telephone number, the business must call you to verify whether you are the person making the credit request. Fraud alerts may be effective at stopping someone from opening new credit accounts in your name, but they may not prevent the misuse of your existing accounts. You still need to monitor all bank, credit card and insurance statements for fraudulent transactions.

Freezes and Fraud Alerts are important first steps, but they only protect against the theft of your identity, and not against other kinds of cybercrime, espionage, etc. Because the Equifax hackers have stolen a treasure trove of personal information, they may be able to use it to gain access to your online accounts, banking services… Anything that requires a password or identity authentication.

So, here are some additional data security tips:

• Change your online passwords (frequently) using long, non-dictionary words and phrases that include alphanumeric characters, special characters, punctuation marks.
• Don't use the same password(s) on multiple sites.
• Consider using a password manager tool to keep track of things.
• Ask online banking, and financial services companies about enhanced security options like multi-factor authentication, security tokens, and the like. Again, these may be a bit of a hassle, but certainly less so than recovering from identity theft.
• Always log out of sites when you finish your business.
• Never respond to emails, texts, or social media posts that ask for personal information, logins, or passwords.
• Don't click buttons or links in email unless you're sure they're safe and are coming from a trusted source. Even then, double check the link before you proceed.
• Review your credit reports from time-to-time, and make sure they're accurate and complete.
• Back-up your computer to at least two places – one locally, for easy access and one off-site (or in the cloud) so your data will survive a catastrophic fire, flood, power surge, etc. Backups should be encrypted.
• Don't launch attachments you receive via email unless they're coming from trusted sources, and you've specifically requested them.
• Don't insert a USB thumb-drive or SD card into your computer unless you know where it's been. (an interesting hack I've read about recently involves leaving an enticingly-labeled usb drive for someone to “find” in a parking lot. When curiosity gets them to insert the drive in their office computer, a bit of code is executed that gains access to the system and the network, allowing infection to spread, and evil-doers to access files remotely.)