More than Target customers are at ID theft risk
Your personal information isn’t safe.
That doesn’t apply only to the 40 million Target shoppers whose credit and debit card numbers may now be in the hands of hackers.
It’s a trend that’s been clear for many years: The stewards of consumers’ personal info — businesses, hospitals, government agencies — are woefully negligent when it comes to safeguarding data.
Too often, sensitive computer files are unencrypted or left on laptops that get stolen. Aggressive moves by hackers are met with only the most cursory security upgrades.
And it’s not just illegal activities that people have to watch for.
A multibillion-dollar industry has emerged to profit from the buying and selling of perfectly legal consumer data, regardless of whether you’ve given permission for your ostensibly confidential information to be hawked on the open market.
On Wednesday, a leading privacy advocate told Congress that professional data brokers are selling lists of rape victims, people with HIV or AIDS and even police officers’ home addresses to marketers.
“Few people know that data brokers exist, and beyond that, few know what they do,” said Pam Dixon, executive director of the World Privacy Forum.
“Even a knowledgeable consumer lacks the tools to exercise any control over his or her data held by a data broker,” she said. “It doesn’t matter that the data is about the consumer. The data broker has all the rights, and the consumer has none.”
Digital technology has brought many advances to the world. But all those bits and bytes have become low-hanging fruit for legal and illegal enterprises eager to exploit the ready availability of information about where people live, what they buy, who their friends are and how they live.
For marketers, this is a golden age of targeted ad campaigns that allow companies to pitch their goods and services to people with a high likelihood of interest in such things.
It’s no coincidence that if you buy some shampoo online, you’ll be bombarded with ads for all types of hair products. If you subscribe to “Field & Stream,” it’s guaranteed that you’ll receive marketing pitches for all manner of outdoor activities.
Meanwhile, 1 of every 14 Americans aged 16 or older was a target or victim of identity theft last year, according to the latest government statistics. Financial losses approached $25 billion.
On Thursday, Target disclosed that hackers broke into its customer database around Black Friday in late November or early December, making off with millions of purchase records.
For cyber-thieves, ID theft is an almost risk-free crime. Only about 2% of perpetrators end up facing a penalty or prison, according to law enforcement authorities.
With odds like that, many bad guys view all those corporate and public databases of consumer information as easy pickings.
Nearly 622 million consumer records have been made vulnerable by more than 4,000 security breaches since 2005, according to the Privacy Rights Clearinghouse, a San Diego advocacy group.
And those are just the breaches we know about. State and federal privacy laws are dodgy when it comes to holding companies accountable for letting sensitive info go astray.
California, for example, has some of the toughest privacy rules in the country. But when it comes to security breaches, businesses are only required to notify consumers if it’s “reasonably believed” that their personal info has been “acquired by an unauthorized person.”
Who makes that call? The businesses, of course.
“These companies aren’t mind readers,” said Beth Givens, director of the Privacy Rights Clearinghouse. “They have no idea where data will end up.”
Businesses routinely declare their commitment to customer privacy. A Google search for “we take privacy seriously” will reveal how widespread this sentiment is.
But when it comes to demonstrating that commitment, many businesses sing a different tune. In 2011, for example, the U.S. Chamber of Commerce and 13 other leading business groups lobbied Congress not to strengthen consumer privacy protections.
“Self-regulation is best suited to safeguard consumer privacy,” the groups declared.
Kent Yeargin, a Sacramento privacy consultant, said that would be fine if businesses did what was necessary to keep customer data safe.
This requires powerful security software, diligent oversight of databases and an ongoing commitment to keeping employees trained in the latest preventive measures, he said.
“Most businesses do the minimum required, if that,” Yeargin said. “It’s cheaper.”
For consumers, this means the default setting is that your personal info will fall into the hands of the wrong people at some point. It’s almost inevitable.
That means it’s up to you to be your own privacy watchdog. If you don’t do it, no one will.
There are various services out there, such as LifeLock, that say they can protect you from ID theft and fraud. But at up to $25 a month, or $275 a year, that can be a pricey path to peace of mind.
I generally advise people to invest in premium protection services or full-time credit monitoring only if they know for a fact that they’re ID theft victims. If your Social Security number is up for grabs, it’s smart to circle your wagons.
Otherwise, you may be able to keep adequate tabs on your ID by obtaining free credit reports from the top credit-reporting companies — Experian, Equifax and TransUnion.
You’re entitled to one such report from each company once a year. Space them four months apart and you can keep tabs on your credit files year-round at no cost. You can order your free credit files online at AnnualCreditReport.com.
A key benefit of being a member of the Automobile Club of Southern California is that you can get free monitoring of your credit file through Experian.
Also, make a regular habit of reviewing your credit and debit card statements online. They’re usually the first place you’ll spot fraudulent activity.
“You should never assume that your personal information is safe,” Givens said.
Once you accept that, you’re on the right track.
David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @Davidlaz. Send your tips or feedback to david.lazarus@latimes.com.
