Appeared in the New York Times on April 17, 2015
By RON LIEBER
The note that arrived in the mail, dated March 25 and addressed to my grade-school-age daughter, said what we had expected and feared: Like tens of millions of other Americans, including untold numbers of children, she may have fallen victim to thieves who gained access to Social Security numbers and other personal data from the health insurancegiant Anthem.
In three single-spaced pages, it noted that anyone who had dealt with the company and many Blue Cross and Blue Shield insurance plans over the last decade could be vulnerable. The letter pointed us to anthemfacts.com for more information, which it described as “our source of truth.”
Here’s what the note did not fully address, however: What are the odds that someone will steal a child’s identity? Why would a thief do that, and what exactly can parents do to keep it from happening?
I know better than to overreact to this sort of thing. Thieves have to get the data, choose to use it (instead of chickening out), pick yours to use in nefarious ways and then do so successfully before any damage to a child’s credit record can occur. Still, a 2011 joint industry-academic examination of 40,000 children caught up in a data breach found that someone else appeared to be using 10.2 percent of their Social Security numbers. Most of those instances happened before the breach in question.
Freezing a Child’s Credit
Nineteen states require credit reporting agencies to allow a parent or guardian to freeze their child’s credit file, which helps prevent identity theft.
So crime like this does happen, and here’s why: Children’s credit reports are clean. That’s attractive to people who want to begin their financial lives anew for any number of reasons. Plus, minors don’t check their credit reports or review monthly bills the way grown-ups do, which means thieves may not get caught for years or even decades.
One way that people can protect themselves from many kinds of identity theft is to put a freezeon their credit reports with Equifax, Experianand TransUnion, the three agencies that make a lot of money tracking our financial histories and selling that information to companies we want to do business with.
A credit freeze is more stringent than the more popular fraud alerts that many consumers have used in the past. Putting your reports on ice means that any new creditor trying to open an account in your name won’t have access to your credit report unless you go into the system and thaw it. Without seeing your credit report, companies that you are not already patronizing generally won’t open a new account in your name, so the freeze usually has the effect of thwarting thieves.
The problem with the freeze, however, is that you need to have a credit report in the first place before you can put it in cold storage. Because most children don’t, it’s usually been nearly impossible to freeze a child’s credit file.
In the last few years, though, that’s been changing. According to Heather Morton, a program principal with the National Conference of State Legislatures, 19 states now require the credit agencies to help parents and guardians create a new credit report for a minor child for the express purpose of immediately freezing it. Those states are Arizona, Delaware, Florida, Georgia, Illinois, Indiana, Iowa, Louisiana, Maryland, Michigan, Montana, Nebraska, New York, Oregon, South Carolina, Texas, Utah, Virginia and Wisconsin.
Last month, Representative Jim Langevin, Democrat of Rhode Island, introducedlegislation that would force the credit bureaus to let all of us do this. Equifax claims that it already lets any parent set up a freeze for a child in the other 31 states. Experian and TransUnion do not, though TransUnion, on its website, has a form that parents can complete so the company can check to see if there are any existing credit files under a child’s Social Security number.
The bureaus aren’t big fans of freezes, because they’re an administrative annoyance and they throw a giant roadblock in their business of peddling our information. Equifax, on its website, introduces freezes as something a consumer does after being victimized, as if we’d all want to wait until the burglar has left the premises to hire a security guard. TransUnion deserves credit for at least mentioningthat children may be able to get one. All of them, however, worry about creating vulnerabilities where there were none by creating a credit file that did not previously exist.
Still, if you try to set one up for your child, you’re in for a battle. The agencies want reams of information, including copies of your child’s birth certificate and Social Security number plus certain bills that prove where you live. Equifax and TransUnion ask you to put all of this private information in an envelope and drop it into a mailbox. Even worse, two Equifax customer service representatives I spoke to this week insisted that I should put “minor child” at the top of the address. It might as well say, “Steal this envelope!”
I’m doing it anyway (though without saying, “Steal Me”), if only to annoy the agencies that so clearly do not want me to do this.
Freezes won’t stop every kind of theft, alas. Thieves sometimes use children’s Social Security numbers and other data to file fake tax returns and get illegitimate refunds, gain access to health care and work legally even if they are not citizens. In each of those instances, there may never be a credit check that reveals the freeze.
So what are the ways to keep private data private that are within our control? Don’t carry around Social Security cards. Keep them under lock and key at home. Keep your child’s date of birth off social media. Talk to your offspring about where to click and not to click on websites and in incoming email. Question school officials and doctors who want children’s Social Security numbers for forms, as it may not truly be necessary.
Also, keep your voice down at the pharmacy and physician’s office.
Robert P. Chappell Jr., author of “Child Identity Theft: What Every Parent Needs To Know,” sometimes jots down names, insurance information and other bits and pieces as he listens in those places and then approaches people afterward to gently correct their data hygiene. So far, nobody has punched him in the nose. “Most of them are very nice and have no idea about the harm that can come from it,” said Mr. Chappell, who works in law enforcement by day. “Usually, I’m in civilian clothes.”
One problem with the various legislative efforts to fix the problem is that they won’t do much about the many situations where it’s the children’s own parents who commit the identity fraud. Mothers and fathers may do this out of desperation, having already wrecked their own credit or experienced some acute financial calamity. Foster children are frequent identity theft victims, too. Whatever the reason for the crime, these parents aren’t about to freeze their children’s files.
So what could stop them? One possibility exists only in theory, and it’s called the 17-10 registry. The idea here is that when children are born, their Social Security numbers automatically go into a “do not break the glass until two months before age 18” database. Parents could be prohibited from opting out of the database for their children, and credit reporting agencies (and employers and the Internal Revenue Service) would hopefully crosscheck it before letting anyone use any Social Security number. TransUnion is experimenting with its own databasethat families in Utah can put their children in.
My daughter seems unscathed so far, and we are signing up for the free monitoring service that Anthem is making available for two years. But Adam Levin, the founder or co-founder of two credit- and identity-related businesses and the author of a book scheduled for release in November called “Swiped: What Identity Thieves Do and How to Stop Them,” questioned why the free service ought to halt then, even if Anthem is paying for a longer period than other breached organizations have in the past.
“Social Security numbers are like money in the bank, and thieves don’t need to use them at any specific moment in history,” he said. “You’re going to have to look over your shoulder for the rest of your life.”
Then again, you’re probably already doing that. The companies we pay and the governmental agencies that keep track of us have proved with startling consistency that they are not up to the task of keeping our data safe. Then, they compound that by dragging their feet when tools emerge that allow us to flip a switch and try to contain the damage.
Until that changes, you’re more or less on your own. But you already knew that, right?