Identity Theft

I have Anthem. What should I do?

anthemvarvelcartoon
Cartoon by Gary Varvel

So since the Anthem data breach occurred, several people who either currently have or have had Anthem coverage have asked me what they should do.  To the best of my knowledge, Anthem has not yet sent out any notification letters informing individuals that their specific information was breached.  But, Anthem seems to know the universe of individuals whose information may have been compromised, and this is what they are using to notify the general public about the scope of the breach that has occurred. Anthem has set up a website to provide information about what happened and what data may have been compromised. For the time being, they are saying that if you are or have been a client of Anthem’s affiliated health plans and/or a member of other independent Blue Cross and Blue Shield plans in the last 10 years (essentially since 2004), you may be impacted.  Many companies who offer insurance through Anthem have posted links or emailed their employees about the fact that the breach occurred.  For my colleagues here at UConn, you may have seen that Kevin Lembo, the Comptroller for the State of Connecticut, has posted a notification to State Employees about the breach on the Office of the State Comptroller’s website.

So back to my post from yesterday:  I have just learned that my information may have been compromised in the Anthem Breach; what do I do?  Well, first I would start with Anthem’s informational website they created about the breach.  Anthem is offering an option for individuals who may have been impacted by the breach to protect themselves for the next 24 months (and some of the services carry over beyond 24 months depending on what you choose to do).

More information about what Anthem is offering through AllClear ID can be found here. But to get you started, AllClear ID is offering a couple of different options to those impacted by the Anthem breach:  AllClear Secure and AllClear PRO.  The services are very different.

So should you consider the services offered through AllClear ID?  Is AllClear ID reputable?  Is taking a wait-and-see approach and using AllClear Secure if you find your identity has been harmed later the right approach? What about the fact that you would have to give AllClear ID your social security number to enroll in AllClear PRO?

Enrolling in services such as those provided by AllClear ID is a personal choice.  If you are not opening up new credit any time soon (i.e., buying a car, opening a credit card, buying a home), you may be comfortable waiting or monitoring your credit on your own. If you are going to be opening up new credit, or do not want to monitor your credit on your own, you may want to consider AllClear PRO as an option.

Yes, AllClear ID is a known entity.  They have handled numerous of the large breaches.  In full disclosure, they are the vendor that UConn has used when we have had data breaches in the past. There are certainly other reputable companies in the marketplace that offer credit monitoring and/or identity repair services.  Your bank and credit card companies likely offer services as well.  Again, how you personally monitor your credit and your own sensitive information is a personal choice.

BUT, be aware that there are also scam artists out there looking to further take advantage of the vulnerability you are now feeling.

So here are my suggestions:

  1. Read the notifications you receive from your employer, on Anthem’s general breach information websites and should you receive one, direct notification to you from Anthem.
  2. Read the options that Anthem is offering through AllClear ID.  Call AllClear ID at 877-263-7995 and ask questions of their advisors if you feel you need more information about the services available.
  3. Think about your own personal situation.  Decide what (if any) sort of credit monitoring, protection, insurance and/or assistance might be useful for you.
  4. And again, going back to my blog post from yesterday, visit the Federal Trade Commission’s (FTC) identity theft information page, the Better Business Bureau, your State’s Attorney General (here is Connecticut’s) or Consumer Protection agencies, and the credit bureaus (Experian, Transunion, Equifax) for more information and other options to assist you.

I’ve just learned I’m a victim of a data breach. Now what?

So when I start writing most blog posts, I try to come up with an interesting blog title to grab your attention.  See above.  Check!  Next, I search the web for a great graphic (usually I Google it!) to add to the post.  For this post, I Google’d the phrase “data breach victim.”  Try Google’ing that and see what comes up.  I was hoping I might find a cartoon of a person looking defeated or scared.  Something witty by a cartoonist or journalist who could really capture what a data breach victim feels after learning his or her identity has been stolen.  But instead (spoiler alert!), what came up was a page full of brand marks of several of the largest corporations hit by hackers and data thieves in the last year or so. Here are just a few of the first ones that came up:

targetimage neimansimage michaelsimage anthemimage1 homedepotimageApparently, and quite properly, humor (and even sarcasm) are not the first reactions by anyone, including the cartoonists, when it comes to data breaches.  I scrolled through more than a hundred images (mostly breached company logos) before coming to one cartoon.  Serious stuff.

The first cartoon that came up kinda summed it up nicely, though:

homedepotexposedcartoon

You shop at a major retailer.  You work for a large corporation.  You are a client of an insurance company.  And you learn that the organization you shop at, your work for or who helps insure you that you trusted with your personal and/or financial information has been hacked.  You feel victimized.  You feel, well… exposed.  So what do you do next to protect yourself?

First, take a deep breath.  You may be frustrated, angry at the organization who you trusted to protect your data or wondering if your credit has been or will be compromised. Data breaches have become so common, that fortunately there are many resources to help you.

One of the most concise resources I found that summarized the steps you should take immediately, and then later if you do find your stolen data has been used is from the Federal Trade Commission (FTC).  There is a wealth of good information on the FTC’s page, including information about particular types of identity theft (medical, tax, children, etc.) and forms and sample letters to help you navigate various options to protect your information, or restore your identity if it has been harmed.  But assuming you have just learned that your information was involved in a data breach, here is the best way to get started according to the FTC:

Identity Theft

Identity theft happens when someone steals your personal information and uses it without your permission. It’s a serious crime that can wreak havoc with your finances, credit history, and reputation — and can take time, money, and patience to resolve.

What to Do Right Away

Immediate Steps to Repair Identity Theft

Here’s how to begin to limit the harm from identity theft.

What to Do Next

Extended Fraud Alerts and Credit Freezes

Placing both extended fraud alerts and credit freezes on your credit reports can make it more difficult for an identity thief to open new accounts in your name.

Repairing Your Credit After Identity Theft

Here are step-by-step instructions for disputing fraudulent charges and accounts related to identity theft.

Lost or Stolen Credit, ATM, and Debit Cards

Federal law limits your liability if your credit, ATM, or debit card is lost or stolen, but your liability may depend on how quickly you report the loss or theft.

There are many other great resources out there to guide you as well.  The Better Business Bureau, your State’s Attorney General (here is Connecticut’s) or Consumer Protection agencies, and the credit bureaus (Experian, Transunion, Equifax)  are great places to start from tips and road maps as well.

 

Cloud Computing and File Sharing

cloud computing
(graphic borrowed from http://www.intelligentitnyc.com)

 

This week, we are focusing on Cloud Computing and File Sharing. Though there are different types of clouds, practically everyone who uses a computer uses “The Cloud” in some way or another. But do you really know how the cloud works?  Sending information via email and over the internet may be useful when you need to share or access something quickly.  However, if you do not share or access that information in a secure manner, what seemed quick and convenient could cause you or the subject of the information a huge headache if that information is intercepted to gets into the wrong hands.  Here are some things to consider when sending personal or sensitive information electronically both at UConn and in your personal life:

Cloud security tips

 It’s the little things that count. Take the proper precautions by adopting easy proactive security habits and it will go a long way in safeguarding your personal data on the cloud.

UConn resources for file sharing

We live in a fast paced world that has faced paced problems. With the click of a mouse, enormous amounts of data can be compromised in an instant.  Often times, email is not a secure method by which to transfer data or information.  Luckily, UConn does have some easy to use resources for you that are also secure.  The UITS Information Security Office recommends that you use a tool called “File Locker” to use when transmitting sensitive information.   File Locker is a web-based application that allows UConn faculty, staff, and students to securely send or temporarily store sensitive files.   Visit https://web2.uconn.edu/filelocker/ to learn more.

UConn resources for detecting insecure data at work and at home

We’re human, we make mistakes and it’s a part of life, right? We also have the ability to catch our mistakes. UITS has implemented a tool called “Identity Finder “that you can run on your work and personal computer to detect unsecure sensitive information such as banking numbers, credit card numbers, and social security numbers, thus catching our storage errors. The software scans your computer for these risks and gives you the option to securely “shred” or quarantine unsafe data on your computer. Identity Finder will even scan your outlook mail for content that shouldn’t be there.

UConn resources for cloud data storage

One cloud-based data storage option UConn offers is a tool called IBM File Net.  IBM File Net is an Enterprise Content/Document Management System and is available as a tool for data storage and management. More about IBM File Net and its various benefits can be found at this DailyDigest entry.

Have you installed Identity Finder yet?

SecureU-IDFinder

 

In my post from January 14, 2013 below I included a section on protecting your personal information, as well as resources for protecting sensitive University data. To follow up on that post, I wanted to share a reminder tip that was posted earlier today by the UConn Information Security Office (ISO) on its two Facebook pages (UConnISO and UConn HuskyHunt):

Privacy Month Tip #13 – Protect Your Data, and here’s how….
As part of the secureU initiative, the University of Connecticut has partnered up with Identity Finder,LLC to bring the Identity Finder software to all faculty, staff, and students of the University of Connecticut free of charge!

Identity Finder is a special software that gives users the ability to find and protect sensitive data on their computer(s), helping to prevent data loss and identity theft. Identity Finder reduces the risk of data leakage and identity theft by discovering and securing sensitive information across computers. Built-in tools are included to shred, scrub, secure and quarantine vulnerable data in order to protect University of Connecticut constituents from data loss caused by spyware, viruses, lost laptops, and hackers.

For UConn employees and students, if you haven’t already done so, visit UConn’s Identity Finder website and install the software on your UConn-issued computer.  There is also an option to install the software on your personal computer too.  You should strongly consider doing so.  You will be amazed at what you find that you have stored there that you forgot about!

Stop! Thief!

thiefcard  thiefphone  thieflicense

This week’s posts will be focused on the topics of identity theft prevention and data protection.

Taking Care of Your Personal Information

What can you do to diminish the chances that you will become the victim of identity theft?  Here are some pointers:

  • Watch out for imposters!  Make sure you know who is asking for your personal or financial information and why they are asking for it. Don’t give out personal information on the phone, through the mail or online unless you’ve initiated the contact or know who you’re dealing with.
  • Manage your records.  Do not keep paper or electronic records that contain sensitive personal information longer than you need to.  Make sure you store your records that contain sensitive personal information in a secure location.
  • Properly dispose of paper records.  When disposing of paper records, do not throw documents with personal information on them in the trash.  Shred, shred shred!
  • Clear your mobile device before you get rid of it.  Before you dispose of a mobile device (such as your smartphone) check your owner’s manual, the service provider’s website, or the device manufacturer’s website for information on how to delete information permanently, and how to save or transfer information to a new device properly.
  • Encryption as a tool.  Consider encrypting files or even computer hard-drives that contain sensitive information.
  • Update security features.  Make sure that you update security and antivirus features and install patches on your computer regularly.
  • Monitor your credit.  Monitor your credit with each of the 3 major credit bureaus.  Federal law requires nationwide consumer reporting companies to provide you with a free credit report, at your request, once per year.
  • Password protection.  Protect your password the same way you would protect other sensitive personal information about yourself.  Create complex passwords and have different ones for each account if possible.  Do not share you passwords with anyone.
  • Do they really need my SSN?  Think twice (or 3 times!) before you give out your Social Security Number. If someone asks you to share your SSN, ask that person why they need it, how it will be used, how they will protect it, and what happens if you don’t share it with them.
  • Be wise about Wi-Fi.  Before you send personal information over your laptop or smartphone on a public wireless network in a coffee shop, library, airport, hotel or other public place, see if your information will be protected.
  • How social should I be?  Do not overshare on social networking websites.  Avoid posting personal information, such as your birth date or address.  Also consider how much you post about your life.  Identity thieves can use what you post to answer common challenge questions on your accounts, such as your credit card.
  • Think you might be the victim of identity theft?  Want to be prepared just in case?  The Federal Trade Commission, the Identity Theft Resource Center and staysafeonline.org provide excellent information regarding what to do if you become a victim of identity theft.

Taking Care of University Data (or personal information collected by University faculty/staff):

Here at UConn we take privacy and data security very seriously.  Systems are in place and resources are available to protect sensitive information we collect and/or maintain as part of our business practices.  Here are just some of the available University resources to help with identity theft prevention and records management as they relate to University records:

  • Learn more about the Compliance Office’s Records & Information (RIM) Program.  (Email me for a copy of our new brochure at rachel.krinsky@uconn.edu)
  • Staff are available anytime to answer your questions about data security, privacy and records management.  If you have questions or would like training regarding any of these topics, all you need to do is ask.  For more information, contact:

Privacy/Records & Information Management

Rachel Krinsky Rudnick
Assistant Director of Compliance/Privacy Officer
Rachel.Krinsky@uconn.edu
(860) 486-5256

Data Security

Jason Pufahl
Chief Information Security Officer
Jason.Pufahl@uconn.edu
(860) 486-3743