Tennessee’s safety department is creating a new unit to investigate identity theft crimes that local law enforcement agencies don’t have the time and resources to effectively investigate. The 14-person unit will include personnel from the Tennessee Highway Patrol and the Tennessee Office of Homeland Security.

The unit will also work with U.S. Secret Service in Memphis and Nashville as well as the Federal Bureau of Investigation. The idea for the new unit came about Tennesseeafter a top to bottom review of state operations and needs. It was apparent to officials that relief available to victims of identity theft and financial fraud in the state was not at the level it needed to be.

The ITRC applauds the creation of units such as this one. As Commissioner of Safety and Homeland Security Bill Gibbons aptly put, “Very few police departments have investigators that have the expertise to investigate these types of crimes. When you go to local law enforcement agencies across the state, they will pretty much tell you that identity crime is one of the toughest types of crimes for them to investigate.”

Gibbons went on to explain that Tennessee law gives the Tennessee Highway Patrol authority to investigate identity theft, though their primary duties are primarily relegated to traffic enforcement. Often the most difficult part of solving these crimes is the fact that they transcend traditional jurisdictional boundaries. In many cases these crimes originate out of state or even sometimes overseas, which is why they are partnering with federal agencies that have wider areas of jurisdiction.

According to Gibbons, they won’t be handling all identity theft cases in the state. Instead, they plan to look at each case individually for certain factors such financial loss, connections to homeland security issues and violation of a state felony theft law, to decide whether to take the case.

The department has also posted a resource kit online for identity theft victims. It can be found at www.tn.gov/safety .

“Tennessee’s New Identity Theft Unit” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC_Blog.

State of Tennessee – Federal and State Resources

When surfing the internet in the privacy of your own home, one might think they are safe from prying eyes, and free to surf the internet without anyone knowing what they’re doing. Unfortunately, this couldn’t be further from the truth. What you do on the internet is information that every retailer and marketing firm wants to know. Why? It’s because these companies use that information to create targeted advertising, which increases sales and thus profits. Targeted advertising simply means that when a company pays for an advertisement they want that advertisement to go to people who will be most likely to purchase whatever the advertisement is selling. For example, sending an advertisement for an expensive boat to someone who is unemployed would most likely be a waste of money.

being watchedCompanies pay for information about your online habits to companies called data brokerage firms or information aggregators. These companies set up thousands of servers specifically to monitor people’s activity on the internet, organize the information to fit a retailer or marketing firm’s needs, and then sell it to the highest bidder. This type of information gathering has set off alarms within the privacy advocacy community as the information collected can at the very least have personal information about you, including age, race, sex, weight, height, marital status, educational level, politics, buying habits, household health worries, vacation dreams and more.

So far, the retail industry has for the most part been self-regulating when it comes to what is right or wrong when tracking you online. According to the World Wide Web Consortium (W3C), an international community where Member organizations, a full-time staff, and the public work together to develop Web standards, privacy advocates and retailers have come to a cautious agreement that an option called “Do Not Track” on web browsers should be available to consumers. When a consumer clicks the “Do Not Track” option, retailers would honor their request and stop their websites from tracking everything that a consumer does on their website. The problem is that all of this is voluntarily and the W3C has no power to enforce any of the standards they promulgate.

Microsoft has added to the controversy over this issue by declaring that their next web browser, Internet Explorer 10, will have the “Do Not Track” option activated as the default setting for their new browser. Retailers and marketers rebuked this idea, threatening not to comply because they believed the standard of complying with the do not track request is only valid if the consumer actively selects it themselves. This latest battle in the protracted war between privacy advocates and the retailing industry has many calling for legislation so that there is some method of enforcing companies to respect the “Do Not Track” option. Surprisingly, several bills have been introduced in both the Senate and the House regarding tracking online consumers. Not surprisingly, all of these bills have been languishing in Congressional committees since 2011. With the attention Microsoft’s move has garnered, the possibility of these bills gaining traction in Congress is becoming more likely.

A bill submitted by Rep. Jackie Speier, the Do Not Track Me Online Act of 2011, requires the Federal Trade Commission (FTC) to create new rules that establish standards for the required use of online opt-out mechanism to let a consumer choose to prohibit anyone from tracking them online. The standards must include a rule requiring covered companies to disclose to the consumer how they collect information and what they do with it, as well as a rule obligating companies to not track consumers if they elect to not be tracked. The FTC would also be given the authority to conduct random audits of covered companies to ensure that they are in compliance with the established standards. For companies not in compliance with these standards, any state attorney general would be permitted to bring a civil action imposing fines up to $11,000 per day with a $5,000,000 maximum cap.

The Do-Not-Track Online Act of 2011, submitted by Sen. John Rockefeller, largely mirrors Rep. Jackie Speier’s legislation; however, his bill lacks any language giving the FTC authority to conduct random audits of companies. While it lacks audit authority for the FTC, Sen. Rockefeller’s bill calls for fines up to $16,000 per day with a $15,000,000 maximum cap.

Lastly, Rep. Edward Markey has put forth the Do Not Track Kids Act of 2011 putting extra emphasis on the protection of children from being tracked online. This bill provides for the same kind of enforceable standards as above, but adds extra standards for minors. This bill would require covered companies to not track children unless receiving parental permission, stop companies from requiring children’s personal information in exchange for allowing the child to play a free online game, and to create an “eraser button” allowing users of a website to erase any current or past information already collected on a minor. While providing a multitude of protections for minors on online, this bill does not provide any recommendations on fines or damages to be paid by companies in violation of its rules.

While it is unlikely that any of these bills will be signed into law in the near future, it is a good idea to keep them in mind as the discord surrounding privacy on the web escalates. For now, the war between retailers and privacy advocates will continue as the struggle for meaningful self-regulation of online tracking makes slow progress. In the meantime, click that “Do Not Track” option if you feel uncomfortable having your online activity monitored and hope that companies are courteous enough to oblige.

“You Are Being Tracked” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

Most people would think that the person or people who know them best are family members, close friends, or significant others. Unfortunately, one more category must be added to that list and it may be one that knows you better than anyone else: an information aggregator. Information aggregators, or data brokers, collect information regarding individuals and look to sell this information to marketers seeking to advertise their products to the best targeted audience possible.

watchingThis sounds fairly innocuous until one looks at the actual breadth and scope of information these aggregators are collecting. Reps. Edward J. Markey and Joe Barton along with six other congressman sent letters to nine major information aggregation companies citing an article in the New York Times (“A Data Giant is Mapping, and Sharing, the Consumer Genome”) which explains what exactly these companies do. The article focuses on a company called Acxiom which collects information on nearly “500 million active consumers worldwide, with about 1,500 data points per person. That includes a majority of adults in the United States.” Among these data points include “your age, race, sex, weight, height, marital status, educational level, politics, buying habits, household health worries, vacation dreams – and on and on.” The article goes on to state that Acxiom has 23,000 computer servers processing more than 50 trillion data transactions a year.

Just the data points mentioned are disturbing enough, but to think that these companies have up to approximately 1500 is downright problematic. The Congressmen writing the letters to these companies express their concern that, in addition, to the privacy concerns involved with this so called “data mining”, how companies use this information may lead to another process called “weblining.”

Weblining is a process by which companies will grade each individual and base decisions about them solely in regard to the information they buy from companies like Acxiom. Privacy advocates warn that this way of profiling consumers can lead to different classes of individuals which will receive different offers and attention from different companies. Health insurance, higher education, employment, and financing could all be decided before you ever get in contact with an insurance agency, school, potential employer or lender, all based upon the information gathered and collated by information aggregators. The Congressmen behind these letters are especially concerned with what and how these aggregators are collecting information on children and minors, as this method of profiling could impact them the most.

The lack of transparency and the volume of legally collected information on consumers is not the only concern as these data brokerage firms are extremely attractive to criminal hackers. While it is unsettling to know that a corporation has such intimate details about you and your habits, they are at least following the law (as lacking as it may be) regarding privacy. They take measures to encrypt and protect your data to minimize any information reaching any unintended parties. A criminal hacker who successfully hacks one of these data brokerage firms would potentially have personal information on hundreds of millions of people.

With Congress struggling to pass any meaningful cybersecurity laws regarding protecting or collecting personal information from online consumers, it seems that, for now, the individual consumer can only hope his or her information profile doesn’t exclude them from opportunities in life or end up in the hands of a criminal.

“What is Information Aggregation and Why Should You Care?” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

Either through a failed attempt at renewing your driver’s license, an unexpected failed background check during a pre-employment screening, or through some event more traumatizing, like being informed at a traffic stop that you have a criminal record you were not aware of, you’ve discovered that someone has successfully made a fraudulent driver’s license (or state id card) with your information. Now what? I interviewed ITRC’s senior advisor Wilma to get the best tips for resolving driver’s license or state ID fraud.

governmental id theftITRC: What is the most important first step for any victim of driver’s license fraud to take in order to mitigate their case?

Wilma: They should call the DMV Fraud Department in the state where the fraudulent license was issued and inform them that a license was issued in their state using their stolen information.

ITRC: What can be done if the victim needs a new license in the state where as a result of the fraud, someone else already is in possession of a current and active license?

Wilma: When the victim contacts the issuing state’s DMV, the process will vary slightly depending on the state. The victim should ask that particular DMV what they require to be sent to them in order to get the current license suspended or revoked so that the victim can get a valid license issued in his home state.

ITRC: Ok, what next?

Wilma: The victim must file a police report for criminal impersonation/identity theft at their local police dept. They should also check with their local Social Security Office to determine if SSA issued a replacement social security card and how many were issued.

ITRC: And what if the SSA informs the victim that replacement cards they didn’t request have been issued, potentially to the identity thief?

Wilma: In that case, the victim should submit their police report to the Social Security Administrations, and inform them that the prior requests were fraudulent. Request them to furnish you a Work History Report to make sure no one is employed using your Social Security Number. Then check your Credit Reports, and issue fraud alerts. In the event that any fraudulent financial information appears on the Credit Report, the victim will need to contact each of those creditors, inform them that the debt is fraudulent, and submit to each creditor a copy of your police report, along with a written dispute of the charges.

Identity theft is an ever-growing problem. What follows are 5 simple steps anyone can easily take to reduce their risk of becoming a victim of identity theft.

  1. Get that Social Security Card and birth certificate OUT of your wallet/purse/car: I can’t stress this enough, if you’re not going to get a passport or open a bank account, or process your new-hire paperwork for your next job TODAY, then why are your most sacred identity documents still floating around in your purse or wallet? I can’t tell you how often the ITRC works with confirmed identity theft victims whose cases began out of a lost or stolen purse or wallet. Without an SSN or birth certificate, the theft of a wallet is a temporary inconvenience. You’ll have cancel a few credit cards, maybe close a bank account or two, and get yourself a new license from the DMV. If on the other hand if either or both of those documents were inside the wallet or purse when stolen, congratulations; you’ll now be at an exponentially greater risk for identity theft, and numerous other types of fraud….for the rest of your natural existence. That’s not an exaggeration, once a birth certificate or SSN is compromised or exposed; there is NO perfect solution to putting humpty dumpty back together again. You’ve now forced yourself to become the paranoid, mildly panicky consumer you previously may have made fun of.
  2. Shred Your Mail: Most consumers don’t pay attention to the plethora of personal information we throw away in our discarded mail. Our mail often contains vital information that is best protected from the public. Everything from account numbers, contact information, SSN’s, dates of birth, tax id numbers, all can be found in your mailed correspondence. Invest in a shredder and make sure that any document that contains sensitive personal data makes it through the cross cutters before it goes to the trash. Having a locking mailbox is also a good idea.
  3. Check Your Credit Reports: I know you hear this all the time, from a thousand different places right? But do you really understand WHY checking your credit is a good idea? Think of it being similar to a financial X-ray – if you broke your ankle, you would go to the doctor to get it checked out. Chances are a medical professional knows your ankle is broken just from feeling it, but he orders the X-ray anyway. Why? Because the X-ray allows the doctor to identify precisely where the damage is, and hence the best/most appropriate remedy. A credit report is no different. It will show you if damage to your credit worthiness might exist, and may point out where the damage is coming from. Knowing that someone else is using your credit worthiness, and identifying the SOURCE of bad/fraudulent information is obviously the first step in getting it corrected. Checking your credit is the easiest way to find out if someone else is using your financial good name to acquire benefit, at your cost.
  4. Don’t Send Personal Identifying Information (PII) to an Online Employer: Never give your SSN, bank account numbers, or any other personally identifying information (PII) to an employer you’ve never met in person. Searching online for jobs is a fast, convenient way to job search, but consumers should understand that this convenience is not without added risk. If you haven’t had an in person meeting or at least a few phone conversations with your perspective employer, than why does he need your SSN? Make sure you know the organization that may be hiring you before giving any information. Job scams are a very common way for thieves to capitalize on the desperation of others, so make sure you’re careful with what information you send and to whom you send it. A legitimate organization will almost always want an in-person interview before offering a job position.
  5. Don’t Be Lazy with Passwords: Is your password to your online bank account the same as the one to your email, which is the same as the one to your social media page, which is the same as the one to your fantasy sports team? Password laziness is a key way scammers take advantage of you. They find a way to get access to a piece of information that on its own is harmless (maybe a name and the last 4 digits of your social). This seemingly harmless info may be enough to request a password for an online banking account. Now they have access to one account. From there, if you’re not serious about your password selections, you might’ve just made it that much easier for a thief to gain access to your entire life online. Use capital letters and numbers, and change your passwords at regular intervals.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/itrc-launches-anyone3-campaign.

Especially in today’s age of accessible information, parents are more and more protective of their children’s information. This is a wonderful thing because the more aware parents are of the risks to their children for identity theft, the less likely their children will become victims themselves.

If a situation occurs that could put your child’s social security number in danger (stolen wallet, information breach, etc.) It is natural for a parent to protect their child using the steps that an adult would use on themselves. The thing that is important for all adults to understand is that the process for children is very different and can have negative results if attempted.


It is important to keep in mind that the credit reporting agencies do not know that a person exists until a credit report is started under their social security number. This usually occurs when credit is applied for, like for a credit card, cell phone, student loans, etc. Another way this can occur is if a parent requests a credit report on their child too often. By frequently inquiring into your child’s social security number with Equifax, Experian, and Trans Union, you run the risk of them viewing your credit checks like those done by a creditor. Checking once a year or even once every two years can start a credit history for your child at an age where they should not and cannot be applying for credit. The longer your child has inquiries but not credit on their credit report, the lower their perceived credit score goes. This will make it tougher for your child to apply for credit when they do turn 18 because it will appear that they have inquired for credit, but never received it.

In order to prevent this from happening:

  • Do not check on your child’s credit report unless there is evidence that fraud may be taking place. This can include:
    • Receiving bills or statements under your child’s name
    • Being told your child already has a bank account when you go to open one
    • Problems claiming your child on your taxes
    • Personal information is lost or stolen.
  • Check your child’s credit report when they turn 16 ONLY if one of the above scenarios have occurred. Checking at 16yrs of age allows you time to clear up any fraud that may be occurring before your child turns 18.

Child identity theft is definitely becoming more prevalent on parents’ radars as cases start to be revealed in the media. It is understandable for this concern, but as stated above a parent can do more harm than good if they are overzealous. For more information on child identity theft you can read the Identity Theft Resource Center’s Fact Sheet on Child Identity Theft. If you still have questions you can always call our victim advisor center toll free at 888.400.5530.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/itrc-launches-anyone3-campaign.

When most people think of identity theft, they only imagine the financial implications of someone opening up credit cards or writing bad checks. However, there is a whole world of ways that these creative thieves can use a victim’s personal information. One of those ways is medical identity theft and even within this subset of crime there are even more typed of crimes to be committed. One of those is what is called financial identity theft.

Examples of this type of fraud would include a hospital or a doctor billing you for medical services given to another person. The thief may or may not have a copy of your private insurance card. Here are the following steps you should take if you believe you have become a victim of this particular crime.


  1. Contact the billing department of the medical facility or doctor requesting payment. If you are receiving this notice from a collection agency, then contact the collection agency first. Explain that this is a case of identity theft or mistaken identity. If the billing department is reluctant to help, then contact the attending doctor, or the medical facility’s fraud or legal department.
  2. Ask what proof they have that this person is you. There is almost always a physical description of the patient. Does it match you? You might be able to show that your height, weight, skin color, age, blood type, or sex is not the same as the “patient.”
  3. Ask when service was provided. You might be able to prove you were somewhere else during that period.
  4. What service was provided? If surgery was done or a condition was diagnosed, you might be able to prove you don’t have a scar or that condition.
  5. Ask if your Social Security Number (SSN) was used or just a name and address. If your SSN was used, you will need to follow the information in ITRC Fact Sheet 100 – Financial Identity Theft: the Beginning Steps and check your credit reports. This thief may be affecting your credit status in other ways. They may be opening new lines of credit or leaving other collection actions behind.
  6. Ask if this person used your medical insurance card or number. If so, contact your insurance company and report the problem. Ask for a new number on the replacement card. They may also have a fraud department that tracks cases.
  7. File a police report in your city and state of residence. You are a victim of a crime. At your earliest opportunity, obtain a copy of the police report.
  8. Send copies of your affidavit of fraud, the police report, any other supporting documentation proving identity theft to the medical billing department and any additional collection agencies which may be involved. Please remember to mail this documentation certified, return receipt requested.
  9. Once the provider agrees this is a case of fraud or identity theft, get that agreement in writing and keep it in a safe place forever. This is called a Letter of Clearance.

While this seems like an overwhelming amount of activity to clear your name, it is not. It will be difficult and you will be angry that this has happened to you, but it can be rectified. If at any time you need additional help or have questions you can always call the Identity Theft Resource Center at 888.400.5530 to speak with a live Victim Advisor who is trained to help you through this process. There is also additional information on the Identity Theft Resource Center’s website which may be helpful.

If you have scratched below the surface of the avalanche of articles on identity theft, scams, cyber-security, or related topics, you have probably run across the term “spoofing.” However, even many of us that work in the field are not very good at explaining to others what the term means, and the various ways the term might be used. So, here goes….

From www.dictionary.com:

spoof; noun

  1. a mocking imitation of someone or something, usually light and good-humored; lampoon or parody: The show was a spoof of college life.
  2. a hoax; prank.

In the context of cyber-security and related subjects, “spoofing” means providing false information in order to make the intended victim think the communications has come from either someone they know, or a business or entity that they would tend to trust. However, there are a number of types of “spoofing”, some more technical than others:

  • IP spoofing is a technique used to make a computer user think that a particular Internet IP being presented is a safe computer/server, and should be trusted. Most of us don’t directly confront this type of spoofing, and probably are unaware of how it works. Just like phone numbers, IP addresses are supposed to signal a unique address or location across the Internet, so faking an IP address can be used by criminals as a method of becoming part of a trusted network. A consumer is unlikely to be directly confronted with IP spoofing, unless they are working in a technical field.
  • Caller ID Spoofing is used to make an incoming call present a phone number that the intended victim might know or trust. However, the number appearing on the Caller ID is not the real calling number, and “spoofing” the number is used for exactly that purpose, to gain trust in a situation when none should be given. With the advent of VOIP or Internet-based phones, the ability to make an incoming call look like it was from San Diego, when the caller is in Russia, is a fact. Caller ID cannot be trusted to determine anything about the caller. Caller ID Spoofing is done quite often, and the average consumer is often in the dark as far as knowing who is really making the call. If in doubt, the best policy is to disengage from the call, then look up the company by name, and call a listed number for the company to inquire about the contact. It should be remembered that people who do business with you already have the information about you, your account number, etc. It is an entirely different situation if you call the company, and are asked for credentials before they will discuss your business with them. However, if the call is coming from them to you, they are the ones that need to prove who they are before you give them any information. Be warned!
  • Email Address Spoofing is probably the most common type of spoofing. Most of us have seen this many times on incoming email, although we may not have recognized it. All of us observe the senders name/address on incoming emails to see who the sender might be, and whether we think about it or not, we tend to give credibility to that email based upon any previous knowledge we may have of the purported sender. Spoofing the “From:” address is often done as part of a fraudulent scheme. If the “From:” address makes you think the email should be trusted, then you are much more likely to click on a link or take other action, or otherwise give some credibility to an email that is coming from a complete stranger, and possibly a thief. Many of the emails used in “Phishing” schemes will have spoofed sending addresses. In fact, a more deadly form of this attack, called “Spear Phishing” uses email addresses from someone recognized as an authority, such as a highly placed executive of your company, to make your response even more likely. You are not going to turn down a request from your Vice President are you? And, it’s a given that website links in these spoofed emails cannot be trusted: they are spoofed also, and will very rarely point your web browser to the address that the link purports to be. Altogether, it is wise for all of us to be wary of incoming email, unless we are very sure of the sender and the authenticity of the message.
  • SMS or Text Spoofing: In a similar fashion to Caller ID and email spoofing, it is also possible for a text message (SMS) to appear to be from a trusted source, while it really is from a quite different sender. In a manner similar to other types of spoofing, be very aware when a text message invites you to take actions, or strongly implies a course of action that you had not anticipated. Like other forms of spoofing, the best answer is to be suspicious and fact check, before you act.

Spoofing is a part of the world we live in now, and it is a key element of the “social engineering” used against consumers in attempts to commit fraud and identity theft. Being skeptical and checking information by other means is really the key to avoid becoming a victim.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

These days we hear a lot about “the cloud.” There are services encouraging you to upload your data to the cloud, and you can access it from anywhere and easily share files with others. But the flip side is the fact that you’re pushing your personal information from your own computer to data centers where you no longer have control over it. If you backup your computer to an online, or cloud, backup service, how do you know your data is safe?

What Is Cloud Backup?

Let’s first define what a cloud backup provider is: a cloud (or online) backup service consists of an application that runs on your local computer which copies files to an online data center. In the event of a hard drive failure, theft, fire or flood, you can then restore (or copy) your data to your replacement drive and not lose any files.

Cloud Backup Encryption

Many files contain personal information, which should remain confidential. In order to do this, cloud backup services encrypt the data before transmitting it. Most services use at least 128-bit encryption (the same as banks use) and will transmit the data via a secure connection. To decrypt the data, your private key is required. Without it, the data is useless.

To make online backups easy for customers to use, providers typically will store the private key for you. After all, if you lose the key, you can’t get the data back. But, this means that with a court order, these providers can use your private key (which they store) and gain access to your data. To prevent this, create your own private key and either memorize it (it can be any length you’d like) or save it to another location (don’t save it to your hard drive, as if the hard drive fails & you can’t read the key file, you won’t be able to decrypt your backup set).

Cloud Backup Best Practices

Maintaining your own private key is a good step in securing your cloud backups, but the file structure is still saved in a non-encrypted format. So, if you have a filename or folder name that contains personal or confidential information (such as bank_accounts/5675196254.xls), the filename can be read and data assumed without even decrypting the file. To combat this, look for a service which not only encrypts the data, but also the filename and folder structure.

Local Backup: An Alternative

Keeping a local backup of your data is often cited as an alternative to a cloud backup solution. The argument is that it’s cheaper (buy a 1TB drive for under $100 and add $20 for some backup software) and faster (a full local backup takes a few hours, a full online backup can take weeks). However, if you choose to backup your data to an external hard drive, make sure the data is encrypted. No need to make it easy for a thief to walk into your den and snag all of your data.

When compared to local backups, the online service can be more affordable (it’s easier to pay $5 per month than it is to shell out $120 all at once) and while the initial backup is slower, subsequent backups only transfer the files that change, making them just as fast as the local option.


In the end, having an online backup with the default encryption choices is still a better bet than no backup at all. Cloud backups give you remote access to your files and protect you when your hard drive fails (all hard drives fail – it’s a matter of “when,” not “if”). Knowing the different encryption options will help you choose the best online backup service.

Eric Nagel is owner of OnlineBackupsReview.com, a site which reviews various online backup services. He’s been covering the online backup industry since 2008.

While more light still needs to be shown on all the electronic data breaches that are occurring every day, the less flashy and attention-getting forms of attaining personal identifying information should not be overlooked. These “low-tech” strategies for stealing one’s information include stealing wallets or purses, mail theft, sifting through dumpsters for documents, and spying over your shoulder while you handle personal identifying information. The easiest of these forms of identity theft with the lowest risk of detection is looking for your documents in the trash, otherwise known as “dumpster diving.” It is of utmost importance to be vigilant against these forms of theft and one of the easiest ways to minimize low-tech ID theft is to keep a shredder handy around your house or office.

document shreddarThe Identity Theft Resource Center maintains a cutting edge Data Breach Report on the type and number of data breaches in the United States. While electronic data compose the overwhelming majority of data breaches, paper data breaches still make up over 15% of all data breaches reported so far this year. While 15% may seem low, people must be aware that paper breaches can often be much more devastating than electronic breaches. While an electronic breach can be just as devastating, the information compromised in an electronic data breach may be just an e-mail address, a password, or user name.

With Congress starting to take notice of cybersecurity, it is likely that low-tech ID theft, especially paper breaches, may increase as businesses begin to make a greater effort to upgrade their information technology systems. Paper breaches will often have significant amounts of your personal identifying information (PII) with extras such as what your signature looks like, fingerprints, or copies of your photo identification in a file. This is the mother lode for an identity thief. Now, the safest route to take is to simply shred every single piece of paper you throw away, but obviously not everyone wants to take the time and effort to shred that much paper on a daily basis. While you do not have to shred everything, you should always shred the following documents as soon as possible: tax returns, bank statements, credit card offers, old photo identification cards, pay stubs, convenience checks, canceled checks, old Medicare cards, and canceled credit cards or debit cards.

These documents all contain sensitive personal identifying information that an identity theft can use to do considerable damage to you. Use a crosscut shredder, which means that the shredder won’t just cut the paper into long lines, that cuts the paper being shredded into hundreds of pieces which makes it virtually impossible for an identity theft to put back together. For documents containing PII that you must absolutely hang onto, the best thing to do is to scan these documents onto your computer, transfer them to a thumb drive, and then delete them from your computer. Store the thumb-drive either in a safe storage area like a safe or hide it somewhere that a thief would have trouble finding it.

“Shred for Your Protection” was written by Sam Imandoust, Esq. Sam serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the ITRC Blog.