We need to put to bed the notion that we can immunize ourselves from identity theft. Because we can't.
Our information is too poorly protected in too many databases. Sure, we can do a few things to make certain types of theft a little harder. But as breach after breach after breach has shown, our biggest risks are beyond our control.
Just one example: Health insurer Anthem, which stored the Social Security numbers of my family and 80 million other customers without encrypting them. But, Anthem assured us, "We have no reason to believe credit card or banking information was compromised, nor is there evidence at this time that medical information such as claims, test results, or diagnostic codes, was targeted or obtained."
Oh, good. So the bad guys have our Social Security numbers, the key to virtually every kind of identity theft, but they may not know I have a Retin-A prescription. That's a relief.
Adding insult to injury are all the credit-monitoring companies that say they offer "identity theft protection." There's no such thing. At best, these companies can give you early warning if you've become a victim and help you try to clean up the mess.
You can lock up your credit reports with a security freeze. That can help prevent new account fraud, where someone else applies for credit in your name. That still leaves you with all the other types of ID theft, including:
- Medical ID theft, where someone obtains health care using your identity, potentially leaving you with the bills and their medical information mixed in with yours.
- Criminal ID theft, where someone who's arrested pretends to be you and gives the cops your identifying information.
- Tax ID theft, where someone phonies up tax information and files a return in your name to get a fat refund.
I've been as guilty as the next personal financial columnist of writing the "10 best ways to protect yourself from ID theft." You can, and should, be stingy about giving out your Social Security number, vigilant about checking your credit reports, careful to shred documents with sensitive information. You should buy a locking mailbox, install and use anti-malware software, and stop clicking on links in your emails.
But you can do everything that's in your power to do -- and still become a victim.
As long as your Social Security number is an all-purpose identifier -- which it was never meant to be, and which it's not in other developed countries -- you're at risk.