July 26, 2010, 12:22 PM — Todd Davis is best known as the CEO of identity-theft protection company LifeLock who used his own Social Security number in his company's advertising as a sign of his confidence in the service. In May, it was widely reported that Davis's identity had been stolen at least 13 times. The controversy over LifeLock's advertising ultimately cost the company $12 million in fines.
Granted, most of us won't plaster our Social Security numbers all over billboards. But real threats exist out there, and it is important to protect your identity. Are online identity-protection services worth the cost? Can you trust them? Are there more-effective ways to protect your personal information without the services of a specialized company? We did some digging, and here's what we found.
How Identity Theft Works
Criminals can steal your identity through a variety of ways, including phishing scams, malware on your PC, and even rooting through your trash for sensitive paper documents. You can defend yourself against such attacks by keeping an eye out for phishing tactics, running antimalware utilities, and shredding documents.
One method of identity theft that you can't directly guard against is a data breach against a company--such as a bank--that you do business with. According to the Identity Theft Resource Center, 498 such breaches occurred in 2009. Often criminals will sell personal information harvested from data breaches to other crooks on online black markets. Criminals could use your identity for anything from opening bank or credit card accounts to seeking medical care using your name.
To make matters worse, laws requiring companies to disclose data breaches are spotty: Some states have tough reporting laws, but no national standard exists. In other words, you could do everything right, and still have your identity stolen without realizing it. No wonder there's a market for identity-theft protection services.
What ID Protection Services Do (and Don't Do)
Identity-theft protection services typically monitor your credit or public records for any suspicious charges, or offer other identity-theft safeguards, for a monthly fee. In some cases they provide services to help clean up the mess left behind in the wake of identity theft and assist in rebuilding your credit. Banks frequently offer several degrees of identity-theft protection to their customers, as well.
You won't find any hard and fast guidelines about what to look for if you decide to buy into an identity-theft protection service. "Consumers need to do their homework," says Jay Foley, executive director with the Identity Theft Resource Center. Before signing up, you should ask what these companies offer, and evaluate whether their services fit your needs.
According to Privacy Rights Clearinghouse, identity-theft protection services don't monitor certain types of identity theft, such as prior instances of identity theft, Social Security number fraud (a point of contention with the LifeLock advertising), debit/check card fraud, criminal identity fraud (that is, a criminal assumes your identity when arrested), and medical fraud (a criminal assumes your identity when seeking medical attention). Paul Stephens, director of policy and advocacy with Privacy Rights Clearninghouse, notes that these sorts of crimes "are more difficult to recover from than financial identity theft."
Privacy Rights Clearninghouse provides a list of the sorts of services you should look for in an ID-theft protection service. In particular, you should determine what sorts of credit-monitoring services the company provides (which credit bureaus it gets reports from, how often it obtains reports, whether you can have unlimited access to your credit reports and scores), whether the company provides services you can't do by yourself or find elsewhere, and what kinds of extra services and insurance the company offers.
You should also look for whether a company performs additional identity monitoring. For example, does it track whether someone is using your address, or is receiving medical care under your name? "Do [ID-theft protection services] do more than monitor your credit? If they can say 'yes,' then maybe they're worth some value," says Foley.
