Consumers can't yet count on companies to protect data from identity thieves

NEW YORK - It happens all the time: You swipe a credit card to buy a new pair of jeans, pay for a fancy dinner or withdraw some cash. Each time a transaction occurs, a flurry of digits and codes moves from one location to another. And each time, you're putting your financial data in jeopardy.

Here's the latest example: On Aug. 17 federal prosecutors charged a man who allegedly stole information for 130 million credit- and debit-card accounts, in what the Justice Department called the largest ever such case.

If you've already been victimized by identity thieves, you're not alone: Federal Reserve Chairman Ben Bernanke himself fell prey to identity thieves, according to a Newsweek report.

In 2008, as Bernanke's wife sat in a Starbucks in Washington, a crook - part of a large ring of scammers - stole her purse, containing a checkbook for a joint account. The fraudsters eventually made off with $9,000, though Bernanke didn't suffer a financial loss, according to the report.

That's a textbook example of how identity theft still arises from the age-old crime of shoplifting. Meanwhile, identity-theft incidents arising from hackers seeking sensitive financial information in computer databases will only increase, security experts say, thanks in part to the increased digitization of information.

"This is like a Hydra. There are many, many heads," said Adam Levin, co-founder of Scottsdale, Ariz.-based Identity Theft 911, and a former director of the New Jersey Division of Consumer Affairs.

Levin said there's a "perfect storm" for more identity-theft cases to happen: Companies with budget woes are less likely to invest in protecting consumer data when the economy is still stagnant and the cost of securing information cuts into profits.

In the recent case, Albert Gonzalez, 28, of Miami, and two unidentified Russian conspirators stole credit- and debit-card information from Heartland Payment Systems, a Princeton, N.J.-based payment processor, and 7-Eleven, supermarket chain Hannaford Brothers and two unidentified national retailers. The crimes started in late 2006 and ended in early 2008, according to the indictment. Gonzalez, already in federal custody for a different computer-hacking case, faces up to 35 years in prison for the current case, according to the U.S. Department of Justice.

That wasn't the only case announced last week. Radisson Hotels and Resorts said hackers broke into its computer system between November 2008 and May 2009 to steal data including guest names, credit- and debit-card numbers and expiration dates. The hotel chain said it doesn't yet know how many customers are affected. The company set up a toll-free hotline and a Web page with more information.

Who's responsible?

These are just the latest two examples in a long line of identity-theft and fraud cases. The question is who's responsible for preventing this crime, particularly when hackers go after the consumer data that companies store on their servers?

Brian Lapidus, the chief operating officer of Nashville, Tenn.-based Kroll Fraud Solutions, said the responsibility falls on companies. "The business has a responsibility to protect the data they have," he said. "It's their responsibility because there's a level of trust between a business and consumers."

Companies should "treat the data as the valuable asset it is," Lapidus said, adding that preventing breaches before they happen can save money.

Others agreed. As businesses become more information-focused and hackers become more sophisticated, consumer data is at risk, said William Besse, executive director of consulting and investigations at Andrews International, a Los Angeles-based provider of security services.

But consumers also should take measures to protect themselves, Besse said, including updating their computer operating systems, creating complex passwords and backing up files.

Meanwhile, there are a growing number of laws and proposed legislation at the state and national level to protect consumers. In Massachusetts, for example, businesses have until January 2010 to comply with new identity-theft regulations that protect consumers.

Still, in July, the Federal Trade Commission delayed the deadline for the Red Flags Rule until Nov. 1. The program requires certain companies and institutions to establish systems to spot possible threats to consumer data.

More than 9 million Americans have their personal information compromised each year, with related losses totaling almost $15.6 billion, according to a FTC survey done in 2006.

The laws can be helpful but it won't stop consumer data from being breached, said Levin, of Identity Theft 911.

"This is the land of openness," Levin said. "We are our own worst enemies at times."

Consumers should check their credit reports (go to AnnualCreditReport.com for one free report from each of the three credit bureaus every year) and spend five or so minutes every day checking credit and bank accounts to ensure the transactions are correct, Levin said.

Lapidus, of Kroll Fraud Solutions, said "all companies need to be prepared for when - not if - it happens. They need to have a plan."

In the meantime, here are some tips from Kroll on what consumers can do to protect themselves:

Leave your Social Security card at home. In the wrong hands, a thief can construct an entire identity with these digits.

Destroy the hard drive before dumping an old computer. Simply erasing data isn't enough - you should physically remove the hard drive, which holds original bits and bytes of information.

Photocopy your wallet's contents so you know what's missing if your wallet is lost or stolen.

Be sure to lock your wireless account. If left open, surfing online wirelessly allows other people to access your data.

Check your credit reports and account statements regularly so you can spot any transactions you didn't make.

(c) 2009, MarketWatch.com Inc.

Distributed by McClatchy-Tribune Information Services.