Appeared in the New York Times on April 17, 2015
By RON
LIEBER
The note that arrived in the mail,
dated March 25 and addressed to my grade-school-age daughter, said what we had
expected and feared: Like tens of millions of other Americans, including untold numbers of children, she may have fallen
victim to thieves who gained access to Social Security numbers and
other personal data from the health insurance
giant Anthem.
In three single-spaced pages, it
noted that anyone who had dealt with the company and many Blue Cross and Blue
Shield insurance plans over the last decade could be
vulnerable. The letter pointed us to anthemfacts.com for more
information, which it described as “our source of truth.”
Here’s what the note did not fully
address, however: What are the odds that someone will steal a child’s identity?
Why would a thief do that, and what exactly can parents do to keep it from
happening?
I know better than to overreact to
this sort of thing. Thieves have to get the data, choose to use it (instead of
chickening out), pick yours to use in nefarious ways and then do so
successfully before any damage to a child’s credit record can occur. Still, a 2011 joint industry-academic examination of 40,000 children caught up in a data breach found that
someone else appeared to be using 10.2 percent of their Social Security numbers.
Most of those instances happened before the breach in question.
Freezing
a Child’s Credit
Nineteen states require credit
reporting agencies to allow a parent or guardian to freeze their child’s credit
file, which helps prevent identity theft.
So crime like this does happen, and
here’s why: Children’s credit reports are clean.
That’s attractive to people who want to begin their financial lives anew for
any number of reasons. Plus, minors don’t check their credit reports or review
monthly bills the way grown-ups do, which means thieves may not get caught for years
or even decades.
One way that people can protect
themselves from many kinds of identity theft is to put a freeze
on their credit reports with Equifax, Experian
and TransUnion,
the three agencies that make a lot of money tracking our financial histories
and selling that information to companies we want to do business with.
A credit freeze is more stringent
than the more popular fraud alerts that many consumers have used in the past.
Putting your reports on ice means that any new creditor trying to open an
account in your name won’t have access to your credit report unless you go into
the system and thaw it. Without seeing your credit report, companies that you
are not already patronizing generally won’t open a new account in your name, so
the freeze usually has the effect of thwarting thieves.
The problem with the freeze,
however, is that you need to have a credit report in the first place before you
can put it in cold storage. Because most children don’t, it’s usually been
nearly impossible to freeze a child’s credit file.
In the last few years, though,
that’s been changing. According to Heather Morton, a program principal with the
National Conference of State Legislatures, 19 states now require the credit
agencies to help parents and guardians create a new credit report for a minor
child for the express purpose of immediately freezing it. Those states are
Arizona, Delaware, Florida, Georgia, Illinois, Indiana, Iowa, Louisiana,
Maryland, Michigan, Montana, Nebraska, New York, Oregon, South Carolina, Texas,
Utah, Virginia and Wisconsin.
Last month, Representative Jim
Langevin, Democrat of Rhode Island, introduced
legislation that would force the credit bureaus to let all of us do this.
Equifax claims that it already lets any parent set up a freeze for a child in
the other 31 states. Experian and TransUnion do not, though TransUnion, on its website,
has a form that parents can complete so the company can check to see if there
are any existing credit files under a child’s Social Security number.
The bureaus aren’t big fans of
freezes, because they’re an administrative annoyance and they throw a giant
roadblock in their business of peddling our information. Equifax, on its website, introduces
freezes as something a consumer does after being victimized, as if we’d all
want to wait until the burglar has left the premises to hire a security guard.
TransUnion deserves credit for at least mentioning
that children may be able to get one. All of them, however, worry about
creating vulnerabilities where there were none by creating a credit file that
did not previously exist.
Still, if you try to set one up for
your child, you’re in for a battle. The agencies want reams of information,
including copies of your child’s birth certificate and Social Security number
plus certain bills that prove where you live. Equifax and TransUnion ask you to
put all of this private information in an envelope and drop it into a mailbox.
Even worse, two Equifax customer service representatives I spoke to this week
insisted that I should put “minor child” at the top of the address. It might as
well say, “Steal this envelope!”
I’m doing it anyway (though without
saying, “Steal Me”), if only to annoy the agencies that so clearly do not want
me to do this.
Freezes won’t stop every kind of
theft, alas. Thieves sometimes use children’s Social Security numbers and other
data to file fake tax returns and get illegitimate refunds, gain access to
health care and work legally even if they are not citizens. In each of those
instances, there may never be a credit check that reveals the freeze.
So what are the ways to keep private
data private that are within our control? Don’t carry around Social Security
cards. Keep them under lock and key at home. Keep your child’s date of birth
off social media. Talk to your offspring about where to click and not to click
on websites and in incoming email. Question school officials and doctors who
want children’s Social Security numbers for forms, as it may not truly be
necessary.
Also, keep your voice down at the
pharmacy and physician’s office.
Robert P. Chappell Jr., author of “Child Identity Theft: What Every Parent Needs To
Know,” sometimes jots down names, insurance information and other bits and
pieces as he listens in those places and then approaches people afterward to
gently correct their data hygiene. So far, nobody has punched him in the nose.
“Most of them are very nice and have no idea about the harm that can come from
it,” said Mr. Chappell, who works in law enforcement by day. “Usually, I’m in
civilian clothes.”
One problem with the various
legislative efforts to fix the problem is that they won’t do much about the
many situations where it’s the children’s own parents who commit the identity fraud. Mothers
and fathers may do this out of desperation, having already wrecked their own
credit or experienced some acute financial calamity. Foster children are
frequent identity theft victims, too. Whatever the reason for the crime, these
parents aren’t about to freeze their children’s files.
So what could stop them? One
possibility exists only in theory, and it’s called the 17-10 registry.
The idea here is that when children are born, their Social Security numbers
automatically go into a “do not break the glass until two months before age 18”
database. Parents could be prohibited from opting out of the database for their
children, and credit reporting agencies (and employers and the Internal Revenue
Service) would hopefully crosscheck it before letting anyone use any Social
Security number. TransUnion is experimenting with its own database
that families in Utah can put their children in.
My daughter seems unscathed so far,
and we are signing up for the free monitoring service that Anthem is making
available for two years. But Adam Levin, the founder or co-founder of two
credit- and identity-related businesses and the author of a book scheduled for
release in November called “Swiped: What Identity Thieves Do and How to Stop
Them,” questioned why the free service
ought to halt then, even if Anthem is paying for a longer period than other
breached organizations have in the past.
“Social Security numbers are like
money in the bank, and thieves don’t need to use them at any specific moment in
history,” he said. “You’re going to have to look over your shoulder for the
rest of your life.”
Then again, you’re probably already
doing that. The companies we pay and the governmental agencies that keep track
of us have proved with startling consistency that they are not up to the task
of keeping our data safe. Then, they compound that by dragging their feet when
tools emerge that allow us to flip a switch and try to contain the damage.
Until that changes, you’re more or
less on your own. But you already knew that, right?