New Jersey bankruptcy Article

Protectors, Too, Gather Profits From ID Theft

Beyond her shock, Mrs. Millett was angry. Five months earlier, the Milletts had subscribed to a $79.99-a-year service from Equifax, a big financial data warehouse, that promised to monitor any access to her credit records. But it never reported the credit activity that might have signaled that they were victims of identity theft.

“I feel like the whole thing is a sham,” said Mrs. Millett, a 37-year-old information-technology manager from Overland Park, Kan. “You feel completely violated because here are the people who know the industry. They hold all the data.” The services, she contends, are oversold.

It is not just criminals who are profiting from identity theft; financial institutions are making money, too. Fear of identity theft has helped give rise to a nearly billion-dollar business in credit-monitoring services sold by the major credit bureaus — companies like Equifax, Experian and TransUnion — as well as direct marketers and banks.

Javelin Strategy and Research, which analyzes the credit-monitoring market, says more than 12 million Americans are now subscribers. The services alert them when lenders have requested their credit files, usually an indication a credit application has been made in their name.

Credit monitoring has quickly gained traction with consumers through aggressive advertising that often promotes its value in protecting against identity theft. But its abilities are far more limited than is commonly perceived.

In the meantime, measures that could stem fraud from identity theft — like legislation empowering consumers to block access to their credit records, making it impossible to extend new credit — have faced stiff resistance from industry groups.

“Identity theft has essentially become a business — not just for bad guys but for good guys, too,” said Robert Gellman, a privacy consultant in Washington. “A lot of the people that are involved in profiting legally from identity theft are direct participants in the whole credit system that doesn’t have the protections in place to prevent identity theft in the first place.”

Some criticism has been aimed at banks, which tolerate a certain amount of fraud as a cost of doing business. But the biggest beneficiaries from identity theft have been the three credit bureaus.

Banks and other lenders have long bought information like a person’s payment history or debt load to assess a loan’s risk. But credit monitoring turned the system on its head and helped create a new, consumer- focused financial data industry.

In addition to selling files to lenders in bulk, the bureaus now market largely the same records to individuals, including entries that reflect applications for credit, new accounts or balance changes. While the data is sold to a big financial institution for 20 cents to $1 a report, according to analysts and industry executives, it can be repackaged and sold to consumers in the form of credit monitoring for $3 to $16 a month.

Persuading customers to sign up can be costly. But today, Wall Street analysts estimate credit monitoring alone to be a $900 million category, growing 20 percent a year or more.

“It’s a pretty big market considering that 10 years ago it didn’t exist,” said J. Bradford Eichler, a consumer data company analyst at Stephens.

Peace of Mind, at a Price

Representatives of Equifax, Experian and TransUnion, whose consumer affiliates are being sued by the Milletts, would not comment on the couple’s specific contentions because of the continuing litigation. But they say credit monitoring is a valuable tool.

“Our products give consumers an early warning system so they can limit the damage and take care of the problem right away,” said John Danaher, president of TransUnion’s online consumer services arm.

And indeed, many consumers speak glowingly of their experiences with credit monitoring. Wendy Barrington, a 36-year-old Houston woman, recalled the annoyance a friend faced for months after her financial information was stolen.

“I am not about to risk something I have worked so hard on,” said Ms. Barrington, who pays about $15 a month for TransUnion’s credit-monitoring service. “All it takes is one person stealing your information and you are in a world of hurt.”

Still, some consumer advocates caution that people may be overpaying for that peace of mind.

For one thing, Americans can essentially create their own credit-monitoring service by taking advantage of a federal law that guarantees access to one free credit report a year from each of the three bureaus. And thanks to so-called zero liability policies, the cost of fraud is generally absorbed by the credit card companies, merchants and banks.

At the same time, credit monitoring may fail to detect that a credit request was even made. For example, a fraud artist may use someone else’s personal identification information — like a Social Security number — but take out a loan in his or her own name. The data mismatch can cause the bureau’s computer systems to route the loan request to a separate file so that a credit-monitoring service never picks it up.

That is what Melody and Steven Millett, the Kansas couple, say happened to them.

In late January 2003, Mrs. Millett found something was wrong when a Ford Motor Credit computer system refused to let her set up an online account to pay off an auto loan. When she called the lender, Mrs. Millett said, she was told that an account had already been set up with Mr. Millett’s Social Security number but a different name: Abundio Perez.

She later learned of at least 26 cases in which Mr. Millett’s personal information had been used in credit applications by Mr. Perez since 1989, according to a lawsuit filed by the Milletts against the credit bureaus, data providers and several creditors in June 2004 in federal court in Kansas City, Kan.

The previous August, Mrs. Millett had bought a credit-monitoring subscription from Equifax. Soon after the Ford Motor Credit incident, she also signed up for credit monitoring with Experian and TransUnion.

At least one credit application using Mr. Millett’s Social Security number came after the Milletts obtained their credit-monitoring subscriptions, according to their lawyer, Joyce Yeager. But not once, Mrs. Millett said, did the couple receive notice of unusual access to their credit records or the misuse of Mr. Millett’s data. Quite the contrary, the bureaus sent them a succession of reassuring e-mail messages suggesting that their information was safe and offering congratulations.

In their legal claims, which have been separated into several class-action lawsuits, the Milletts say that the bureaus’ monitoring services do not work as advertised.

“The core identifier is your Social Security number,” Mrs. Millett said in an interview. “You use it for work, for taxes. You would think that identifier would be covered by someone advertising they protect you from identity theft. To think that they are not is just flabbergasting.”

Donald Girard, an Experian spokesman, acknowledged that his company’s credit-monitoring products could not detect cases in which a credit applicant used someone else’s Social Security number but his or her own name because those records were stored separately. He added, however, that in such cases consumers are “not harmed” financially.

Protection vs. Prevention

Initially, the credit bureaus sold monitoring as a way for consumers to understand and manage their credit scores before taking out big loans. But since a wave of data breaches in 2004 heightened consumer fears, a security message appears to have moved toward center stage.

“It is advertised as monitoring for identity-theft protection,” said Michael R. Stanfield, chief executive of Intersections, a direct-marketing company that offers credit monitoring through big banks and card companies. But he said consumers hear protection “and don’t understand if it is prevention or detection.”

“What is needed in the marketplace are products that are going to help you protect your information, monitor it when it is in the process of getting used in a financial fraud, and catch those financial frauds when they are about to occur,” he added.

Privacy advocates have suggested providing more fraud-prevention tools to consumers by allowing them to freeze access to credit records if they think they have been identity-theft victims — or as a precaution.

Beginning with California in 2003, such laws have passed in 26 states, including New York last month. But of roughly 148 million credit-eligible customers in those states, Experian estimates 30,000 have elected to freeze their files.

Financial and retailing lobbying groups have generally opposed such legislation at the state and federal levels since it could hinder a retailer in issuing a store-branded credit card — or a bank in extending a loan — to a legitimate customer, who must first unfreeze the credit file. It can also restrict the bureaus from selling consumer credit files.

The big credit bureaus, after initially opposing tougher legislation, are taking a wait-and-see approach. “It may be that we evolve to that at some point,” said Maxine Sweet, Experian’s vice president for consumer education. “We have to make sure that we are not interfering with what is a very important part of the whole consumer credit economy.”

Such a freeze might not have helped the Milletts, since the problematic files were kept under another name. Mrs. Millett is still using a credit-monitoring service, but she would not recommend it to a friend.

“I still have credit monitoring because of the simple fact that it is the best tool available at this time,” she said. “It is not ideal, it is broken, and it is not as advertised.”