ID-theft ruling: Set your own fraud alerts
SAN JOSE, Calif. — Companies that sell “identity-theft protection” present an alluring but questionable proposition.
For as much as about $100 per year, the main thing they do is set fraud alerts that force banks to call people before new lines of credit are opened in their names. The alerts can be useful — but people can set them themselves, for free.
Now even that function could be taken away from the ID theft-prevention services.
A federal court in California has blocked Tempe, Ariz.-based LifeLock, one of the industry’s biggest players, from setting fraud alerts with Experian, one of the three main credit-reporting agencies that manage the fraud alerts.
Experian is suing LifeLock, claiming that LifeLock’s automatic renewal of customers’ fraud alerts — which happens every 90 days, when they expire — costs Experian millions of dollars in processing expenses.
In a ruling last week, a judge agreed with one of Experian’s central arguments, which is that LifeLock isn’t authorized to set alerts for consumers, and that federal law requires consumers to set alerts themselves by contacting credit bureaus directly.
The ruling has caused at least one ID-theft prevention service, Debix, to announce it plans to drop fraud alerts and offer credit monitoring instead. The trend is likely to play out across the industry.
“It’s going to be a game changer,” said Jay Foley, executive director of the Identity Theft Resource Center.
For consumers, this means “identity theft protection” services could get more expensive — and less useful. Credit monitoring services can cost $180 a year, and they don’t always detect a fraud before it happens.
In contrast, fraud alerts are supposed to make it much harder for identity theft to be pulled off in the first place.
When a bank or retailer runs a credit check on someone for a new account, if a fraud alert pops up, the bank or retailer is required to call that person or use any other “reasonable policies and procedures” to verify their identity. That is meant to stop a scammer who goes into a retail store and tries, for example, to get instant credit under someone else’s name and then walk out with a TV the other guy would be on the hook for.
LifeLock’s CEO, Todd Davis, who is known for plastering his Social Security number on billboards in a dangerous advertising gimmick, says his company will fight the court ruling and won’t stop setting fraud alerts with the other two credit bureaus, Equifax and TransUnion.
Placing an alert at one bureau means an alert is placed at all three, because they have to notify each other.
“It’s going to be business as usual until we hear they don’t agree with the way we’re interpreting this,” Davis said in an interview. “We’re not worried that this is some catastrophic decision.”
At least one of his competitors disagrees.
Bo Holland, the founder of Debix, which offers ID theft protection for $24 a year, said his company will now stop setting fraud alerts and sell credit monitoring instead. Holland said many of Debix’s clients are corporations that subsidize the service for employees and customers after a breach.
Losing the ability to set fraud alerts is “definitely a step backward. It’s been a very effective mechanism; creditors did a pretty good job of doing what they were supposed to do,” he said. “Absolutely I’m sad to see it go.”
Holland noted, though, that fraud alerts have weaknesses, because banks will sometimes ask “security questions” of credit applicants instead of calling a consumer before opening a new account. If criminals have enough personal information about their victims, the con artists might be able to answer those questions, and the consumer would never get a call.
Representatives for another big ID-theft protection service, TrustedID (which costs around $100 a year), did not return messages seeking comment.
Experian’s lawsuit is not the first against LifeLock. Some customers have sued, saying they were misled about their level of protection.
The main thing services like LifeLock guard against is credit fraud. But there are other types of fraud, like using someone’s Social Security number to get a job or medical coverage or giving it to police to impersonate someone innocent. A fraud alert on a credit report is powerless against those crimes.
Filed under Lawsuit, Legal Proceedings, News | Tags: Calif., California, Europe, European Union, fraud, Fraud And False Statements, Identity Theft, Netherlands, North America, Products And Services, San Jose, sued, Suing, United States, Us-tec-identity-theft, Western Europe | Comment Below