By Kara Brandeisky
January 13, 2015
Carolyn Kaster—AP

Americans are terrified of identity theft. They’re more afraid of identity theft than every other crime, Gallup says. And they have good reason to be: Over the past year, millions of consumers have had sensitive personal information exposed in data breaches.

Well, President Obama has heard your concerns. He’ll offer at least two big solutions in next week’s State of the Union address. Obama previewed those ideas during a speech at the Federal Trade Commission on Monday.

Bottom line: If you’re afraid of an identity thief racking up debts in your name, don’t rest easy just yet. Here’s what the president’s proposals wouldn’t accomplish—and what you can do instead to protect yourself.

#1: A federal notification requirement for security breaches

Obama’s idea: Pass a new federal law requiring businesses to tell consumers their personal information has been exposed within a month of a breach.

“Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late,” Obama explained during his speech at the FTC. “So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days.”

But Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, says he worries that Obama’s national proposal could override existing state laws, which generally offer even stronger protections.

Altogether, 47 states have laws governing how businesses must notify consumers of security breaches. Most states “require notification in the most expedient/expeditious time possible and without unreasonable delay,” says Pam Greenberg of the National Conference of State Legislatures. Exceptions include Florida, which requires notice within 30 days, and Ohio, Vermont, and Wisconsin, which require notice within 45 days, according to Greenberg.

Stephens is also concerned that the legislation will give companies wide discretion to decide whether consumers are at risk—and, therefore, whether they need to be notified. “The mere existence of a breach should trigger mandatory reporting because individuals whose information has been breached have a right to know about it,” Stephens says.

What’s more, notes Stephens, in many cases it takes some time before the companies themselves know they’ve been hacked. And if law enforcement agencies are investigating the breach, authorities may ask companies not to disclose anything that would undermine the investigation.

We’ll have to wait and see on the details. The “Personal Data Notification and Protection Act” has not been introduced in Congress yet.

#2: Free credit scores

On Monday, the president praised JPMorganChase, Bank of America, USAA, and the State Employees’ Credit Union for offering their customers free credit scores as part of their packages of financial services. “We’re encouraging more companies to join this effort every day,” he said.

He’s had some help from the Consumer Financial Protection Bureau, which over the past year has been pressuring credit card companies to provide free access to FICO score information to help consumers make smarter financial decisions—and the effort is starting to bear results.

“This means that a majority of American adults will have free access to their credit score, which is like an early warning system telling you that you’ve been hit by fraud so you can deal with it fast,” Obama said on Monday.

But that’s where he’s wrong. Your credit score is the opposite of an early warning system—by the time your credit score has moved, you’re already in deep trouble, explains Odysseas Papadimitriou, CEO of, a credit card comparison site.

“Let’s say I steal your identity and I open a credit card under your name,” Papadimitriou says. “I get your credit card June 1. I get the bill July 1, that bill is due on August 1. I miss that payment. The next bill is due September 1. I miss that payment. At that point in time, I get reported—on September 1. All the damage is done. That’s why it’s completely useless.”

Having free access to your credit score is nice. But if the score is bad, it’s already too late.

What you can do now

First, get your hands on a “chip-and-signature” credit card. Experts are hopeful that this new technology could stem the near-constant retail data breaches. Visa and Mastercard have promised to update all their cards by October 2015.

Here’s how it works: The “chip” encrypts your transaction data, which should make it harder for hackers to raid retailers’ checkout systems and steal your credit card number. Stephens warns that identity thieves can still rack up fraudulent charges in your name if they get hold of your physical chip-and-signature card. A chip-and-PIN card is even better—that would require you to input a 4-digit PIN for any purchase. But any chip should help.

Second, check your free credit reports. Your credit report will show whether any new, fraudulent accounts have been opened in your name. Your credit score will only tank once someone has opened a fraudulent account and missed two payments. Papadimitriou thinks Congress should let Americans access their credit reports for free, at any time. Until then, you’re only entitled to one free credit report from each credit bureau every year—so check every four months.

While you’re at it, keep a close eye on your credit card statements. Report any suspicious charges. The good news is there are consumer protections in place to ensure you’ll get almost all of your money back in the event of fraud.

If an identity thief just stole your card number, you’ll ultimately owe nothing. If an identity thief stole your actual card, your liability is limited to $50 for credit cards and $500 for debit cards, depending on how early you report the problem. So you want to catch it early.

For more

You May Like