Identity Theft in the Information Age: Protecting Your Most Valued Asset

Identity Theft in the Information Age: Protecting your Most Valued Asset

White Paper Provided by HUB International September 2010 The call came in the middle of the night to Ted and

Karen’s home. “Is Karen okay?” It was a good friend who had been on Facebook and saw Karen’s plea for money - she was in London, her wallet had been stolen, and she was using Facebook to connect with friends who could wire her money to get home to the

United States. But, Karen was right beside Ted in their house in Connecticut. She was not in London, and her wallet was in her purse. Karen’s friend had almost become a victim of a modern cyber crime. Identity Theft in the Information Age: Protecting your Most Valued Asset

Despite increased vigilance by consumers and and investigations fi rm that counsels the high net-worth businesses, identity theft continues to affect the lives of community. “They no longer break into your house. They millions of Americans. break into your life.” According to Viollis, cyber criminals are increasingly targeting high net worth consumers This lucrative and increasingly sophisticated crime and their advisors because they represent a “one stop grew by 12% in 2009 impacting 11 million Americans, shop.”3 according to Javelin Strategy & Research, a fi rm that has tracked the problem since 2003.1 Identity theft is defi ned by the Federal Trade Commission as “fraud that is committed or attempted, using a person’s identifying According to Information Week, “Hacking information without authority.” 2 isn’t a kid’s game anymore. It’s big

Victims of identity theft may fi nd themselves unable to business. Online black markets are fl ush secure a mortgage, pass a pre-employment screening, with stolen credit card data, driver’s license or access their own health insurance benefi ts as a result numbers, and malware, the programs that of the criminal activity done by others in their name. It can take months –-and in some extreme cases--years let hackers exploit the security weaknesses to repair credit history. of commercial software. Cyber criminals

Protecting your identity is an ever-present reality in the have become an organized bunch; they use information age. From the courtesy checks you receive peer-to-peer payment systems just like they from your credit card company to Gmail, Twitter, and are buying and selling on eBay, and they’re Facebook, there is an abundance of fertile ground for not afraid to work together.”4 crime. The good news is that there are many practical tips and safeguards everyone can implement to help preserve their identity and property. Cyber Threats First, it’s important to understand the changing A fi rst step in protecting yourself is to be aware of landscape of this type of crime. While identity theft is the potential for crime. With the increase of online rooted in low-tech activities such as theft of wallets or activity, the popularity of social networking, and our “dumpster-diving” for discarded fi nancial statements, the increasing comfort level with the Internet, criminals information age has offered a multitude of opportunities see opportunity and dollars signs. Gunter Ollmann, to gain access to personal information. chief security strategist for IBM Security Systems, was Today’s cyber criminals are sophisticated and searching quoted in a Georgia Tech Information Security Center for bigger payoffs. Cyber crime encompasses credit Summit (GTISC) report about the evolving cyber crime card fraud, hacking, “shoulder-surfi ng,” fake Caller ID, economy, saying it is “an international conglomerate of “phishing,” and “spearing.” Vigilance in understanding professionally-trained authors motivated by high profi t.” the changing landscape and risks, while also evaluating GTISC publishes forward-looking information on cyber and re-evaluating your vulnerability, is critical to avoiding security threats. Following are their top fi ve emerging cyber-crime. cyber security threats:5 “The 21st century intruder is well-prepared and well Malware—software designed to infi ltrate or damage equipped,” says Paul Viollis, CEO of Risk Control a computer system without the owner’s informed Strategies (RCS), a New York City-based consulting consent

3 Botnets—groups of computers infected with malicious Fake Caller ID: Scammers use Internet-based phone code and controlled by an outside master. GTISC service to fake the Caller IDs of banks and ﬁ nancial estimates that botnet-affected machines could advisors. Because the phone ID bears the name comprise as much as 15 percent of online computers. of their bank or a trusted advisor, victims are tricked into providing personal information. Incoming Cyber warfare—the use of computers and the Internet calls, however, should always be suspect. Banks to attack the U.S. economy and infrastructure and related institutions rarely call to “verify account 7 Threats to VoIP (voice communications over the information.” Internet) and mobile devices – as “smart phones” achieve functionality similar to PCs and market share becomes concentrated on fewer platforms, experts “Your identity is a predict widespread virus attacks. core asset.” The evolving cyber crime economy – more organized ~ Matthew Cullina, president, and proﬁ t-driven than ever before. Identity Theft 911

Cyber Criminal Industry Social Networking: Social networks such as An entire industry of online “thieves” has been created. Facebook, MySpace, and Twitter represent the According to Ollmann, there are three main categories: newest platforms for emerging threats and make Low-level criminals who use kits (which can be it easier for both stalkers and scammers to learn bought, leased, subscribed, and pay-as-you-go) to about and track their intended victims. Cyber criminals create the speciﬁ c malware required for their targeted take advantage of networks of “friends” to get users crimes; to click on links they might otherwise ignore. Phishers have hijacked user accounts in order to send the Skilled developer and collectives of technical user’s friends instant messages pleading for experts creating new components to embed within emergency assistance – and money. Facebook their commercial malware creation kits; warned its users in early 2009 about the rise in Top-tier managed service providers that warp new phishing and spam attacks.8 Unfortunately, many services around malware kits to increase propagation users of social networks fail to utilize the privacy and enable organized fraud on a global scale, feeding controls available to them on these sites which would gains back into existing money-laundering chains.6 help reduce their exposure.

Chubb’s Peter Spicer says “Twitter is a gift to stalkers Understanding your Risks if their intended victim is too open about who follows In the information age, it is imperative to stay informed them and what they are willing to ‘tweet’ about.” about the types of cyber crime that you could fall victim to. There are a number of techniques that criminals For more information about social media risks and how employ to gain valuable information about individuals, to protect your online privacy, read HUB International’s which they then use to obtain passwords, Social white paper: “Privacy Matters: Social Media, Risk and Security numbers, and other vital information. Following Reward.” are three categories of risk everyone should be aware of: “Spear Phishing” or “Whaling”: These techniques Five Types of Identity Theft target affl uent individuals and involve sending emails While not new, identity theft is evolving. Five of the most to money managers, fi nancial advisors, and family common types of identity theft are: offi ces. Often personally addressed, these emails 1. Department of Motor Vehicles—Use of a victim’s include links that install malicious software. identity to obtain a driver’s license. Victims discover unpaid traffi c tickets and DUI’s under their name.

4 2. Social Security—Use of a victim’s Social Security The 21st century intruder is well prepared and well number for employment purposes. These thieves equipped…to break into your life according to Paul also fi le taxes under a victim’s name in order to Viollis, CEO of Risk Control Strategies, a security fi rm obtain a refund. in New York City. 3. Criminal Identity—Use of a victim’s information to escape fi nes or jail. Victims discover they have But as movement toward electronic medical records acquired a criminal record for bad checks, gains momentum, privacy experts predict that medical shoplifting, pornography, and prostitution among identity theft could grow. Consumers may not even other crimes. know their records have been compromised. In January, a new law took effect in California that requires providers 4. Financial Identity— Use of a victim’s information to let consumers know if their medical information has to obtain vehicles, real estate, and other goods or been “breached.” But few states detail notifi cation services. requirements regarding unauthorized release of patient 5. Medical Identity—Use of a victim’s name, Social medical data. Security number, or insurance coverage to obtain Medical identity theft is exacerbated by strict privacy prescriptions or medical services which reduces the laws. The Health Insurance Portability and Accountability victim’s available benefi ts, damages credit, and Act (HIPAA), enacted by Congress in 1996, set rules and makes it harder for victims to obtain an accurate limits on who can examine personal health information, copy of their medical records as they may be which makes it diffi cult to correct. intermingled with those of the thief. Cullina says there are two non-credit risks that are often Medical identity theft represents a growth area for overlooked: estate identity theft, in which the personal criminals. More than 250,000 Americans fall victim to information of a recently-deceased individual is used, medical identity theft every year, according to a 2007 and employment fraud, in which an individual uses report, the most recent source of federal data on another’s personal information to obtain employment. medical identity theft collected by the Federal Trade He says the next trend may be a by-product of the Commission. Medical identity theft is the most diffi cult recession: data breaches by disgruntled or laid-off identity theft crime to fi x after the fact, because victims employees. have limited rights and recourses, according to the World Privacy Forum.9 Cullina’s bottom line: “Your identity is a core asset. Any damage to it will have serious consequences. So, Matthew Cullina, CEO of Identity Theft 911, a fi rm that manage it as you do your portfolio.”10 provides identity theft restoration services, warns, “It takes a lot of resources and time to resolve a medical identity theft case. For one thing, there is no central source to alleviate the problem. With credit you have to primarily deal with three credit bureaus. With medical identity theft, it requires dealing with each medical provider to prove you are who you say you are. Less than 20 percent of medical records are electronic.”

5 Do you know... who is most at risk for identity theft? what to do if identity theft occurs? A variety of recent research studies paint different Report the fraud to the three major credit bureaus. pictures of who is most at risk. Identity theft can be an Flag your accounts with “fraud alerts” requiring opportunistic crime that preys upon those who exhibit that you be notifi ed whenever a request for a new high risk behavior, as well as a sophisticated crime that account is received. Fraud departments for the three targets its victims carefully based on their wealth and bureaus can be contacted at: access to credit, specifi cally untapped home equity. Experian According to a study conducted by Experian, a global POB 9532 information services company, affl uent suburban Allen, TX 75013 consumers top the list as the most at-risk of becoming 888-397-3742 11 identity theft victims. Identity fraud victims are 43 Equifax percent more likely to fall into “Affl uent Suburbia”, a POB 740241 category described by Experian as “the wealthiest Atlanta, GA 30374-0241 households in the United States” who live in densely 800-525-6285 populated metro areas. Victims are 13 percent more likely to have a college degree and 73 percent more TransUnion likely to hold an advanced degree. Fraud Victims Assistance Division POB 6790 According to the FTC, 24% of identity theft complaints Fullerton, CA 92634-6790 received in 2009 came from people between the ages 800-680-7289 of 20 to 29.12 The odds of being a victim of identity theft increase if you are a young adult or a small business Notify credit card companies, utility service, telephone, owner, according to a Javelin Strategy & Research and Internet providers that you have been a victim of study.13 According to Javelin, people aged 18 to 24 fraud. are more likely to use public, shared computers and Stop payment on outstanding checks and report unsecured wireless networks, both of which leaves them the fraud to check verifi cation companies, such as vulnerable to hackers. In addition, the vast majority use Telecheck (800-710-9898). social networking sites daily and share information that compromises their online privacy. Finally, widespread Close all accounts that have been compromised. use of debit cards to make purchases online as well as Close and reopen checking and savings accounts. in restaurants and bars also increase risk factors for this age segment. Notify the police. If the local police refuse to take a report, advise them that you need it for insurance Small business owners may use personal computers purposes. to complete fi nancial transactions for their business, leaving them vulnerable to cyber criminals who deploy Contact your health insurance company, if you “banking Trojans” to secretly access and manipulate think your medical identity has been compromised. ACH and wire transfers. To reduce the risk, the Your insurer’s anti-fraud unit may be able to help. American Bankers Association and the FBI advise File a claim with your insurance provider. businesses to devote a separate PC exclusively for online banking and not use that computer for email or File a claim with the Federal Trade Commission web browsing. Contact for the FTC is 877-ID THEFT.

6 how to lock out hackers and online Many security experts advise against using wireless thieves? networks. Hackers can stake out your home and “listen” to your online activity. Most if not all encrypted “Typically the ﬁ rst action a victim of identity theft takes wireless networks can be broken into. is to install anti-virus software,” said Tom Rusin, CEO of Afﬁ nion Security Center, a leading provider of identity When selling an old computer, wipe out the hard drive theft protection and data breach resolution services. using a specialized program or destroy the hard drive “Consumers need to be educated and prepared to if you plan to dispose of the computer. proactively protect their identities in the online world, before it is too late.” 14 how to protect your children?

Treat your personal computers as you would your Children are especially vulnerable to online crime. Warn front door -- restrict access and know the key areas of your children of the dangers of the Internet including vulnerability: stalking, spyware, viruses and other potential threats. Other precautions include: Use complex passwords that have a combination of letters and numbers. Do not use words that Install an adult content blocking program, can identify you or are easy-to-guess, such as strong fi rewall, anti-virus/spyware software and “password” or “1234”. monitoring to create the ability to review where your child has been and who/what is being e-mailed. Run the latest version of a proven anti-virus software program on your computer. Find out what computer safeguards are used by your child’s school and in the homes of their friends. Install the latest security patches from software vendors such as Microsoft and Adobe Acrobat. If your children use social networks, you should understand how they function and consider setting up When you log on to your bank account or any other their MySpace or Facebook accounts so you can password-protected site that stores your personal monitor activity. Have frank discussions with your information, be sure to log off when you are fi nished children about online sexual predators. and close your browser completely. Tell your children under no circumstances should Do not respond to pop-up ads that alert you to a virus they agree to accept gifts or meet anyone they’ve infection. Legitimate anti-virus companies don’t use made contact with on the Internet. Instruct them pop-up ads to inform you about the status of your to never post photos of themselves or give out computer. identifying information such as their name, home address, school name, or telephone number. Be aware that free email services, such as Gmail, available from Google, have been criticized by Keep computers in a common area of the home -- privacy groups because many of these services come not in your child’s bedroom -- so you can monitor their with a program that scans the content of messages activity. and sends users advertising based on words found in the email. Your deleted emails may also be stored When your children are preparing to go off to college, on servers. be sure to ask the university about the security of their network, especially if your child is going to use Don’t leave your laptop computer in hotel rooms or the Internet to access a family bank account. Instruct places where others can access it. Hackers install a your child not to use shared computers for fi nancial keystroke tracker which then transmits your account transactions. For more tips and information, read HUB names, PINs, and passwords to the receiving party, International’s “Protect your Children when using enabling them to access your online accounts. Social Media.”

7 How to select a security fi rm? how to insure and protect against High net worth individuals may wish to engage the loss? services of a professional security consultant. However, Insurers and brokers can take an active role in selecting a consultant is challenging, given that there is protecting the cyber security of their clients. A fi rst step no bona fi de credentialing or accreditation process. is educating clients on the risks and putting in place coverage that indemnifi es losses as broadly as possible, A “certifi ed” group of retired law enforcement offi cers not just the expense of restoring credit standing and may have an excellent background in investigations but identity, but where possible the actual fi nancial losses. may not be familiar with the risks facing high net worth individuals. The most prudent course of action is to seek Affi nion’s Rusin recommends fi nding a policy that referrals from trusted friends or colleagues and then protects a person’s full fi nancial assets. While the typical perform rigorous due diligence. loss to a consumer who is victimized by identity theft is less than $1,000, fi nancial institutions may not reimburse In selecting a security fi rm, Viollis suggests looking for their customers for fraudulent cash transactions.16 the following attributes: This makes affl uent individuals with signifi cant cash Specializes in the high net-worth segment with resources particularly vulnerable to fi nancial loss when knowledge of the culture and understanding of the their identity is stolen. importance of privacy. Identity theft insurance and restoration services can be Established track record, verifi ed credentials, and easily added to one’s homeowners’ insurance policy for infrastructure. an additional premium. When deciding on the level of coverage, ask if the policy offers the following: Adequate insurance. Assistance in obtaining emergency identity Full-time employees, not part-timers or authentication and verifi cation and access to subcontractors. investment and bank accounts

24/7 availability Assistance in replacing birth certiﬁ cates, driver’s Principals who are true decision-makers with no silent licenses, passports and Social Security cards, checks partners who could represent a conﬂ ict of interest. and credit/debit cards

Insist on an engagement letter in writing. According Assistance in resolving credit and other problems in to Chubb’s Peter Spicer, the security fi rm should have the event of identity theft or fraud, including a personal some law enforcement experience. In the event of a advocate to help the policyholder through the process crisis, they will know how to work with law enforcement of identity theft recovery agencies on the client’s behalf. “There is an ‘underworld’ Help in contacting police departments, creditors and Internet where criminals, predators and other bad actors credit rating agencies as well as assistance in creating lurk - exchanging information and targeting people’s a case fi le for insurance claims and law enforcement identities, fi nances and at times, reputations,” he said. investigations A security fi rm without this expertise is missing a huge ability to “listen” to that underworld for relevant threats Coverage for fi nancial losses by third parties who gain to its clients.”15 access to checkbooks, credit cards, 401(k), savings accounts, or stocks and bonds

Coverage for stalking victims, if the stalker is known to the insured and subject to a court-issued restraining

8 order. Chubb, Fireman’s Fund, and Chartis specialize Medical Information Bureau (MIB Group). If you in serving affl uent individuals and families, are have applied for individually underwritten life, health, considering expanded coverage for actual fi nancial or disability income insurance in the past seven years, losses. you can obtain a copy of your consumer fi le containing information on medical conditions and treatment Affi nion Security Center’s Tom Rusin recommends that annually at no charge. www.mib.com any form of protection needs to not only be able to help resolve a theft, but also be able to proactively identify My IDScore. This free resource uses data analytics one. “Ensuring that the Internet is being monitored for to fi nd anomalies in how your personal information is your personal information, both in terms of public facing used and provides you an identity score. The higher websites and the underground, helps you to quickly the score, the greater your risk of becoming a victim of detect when your identity is at risk,” he said. “Typically, identity theft. www.myidscore.com. the quicker you’re able to react, the less fi nancial harm Identity Secure. Identity theft protection product from is done.” Affi nion that guards against many forms of identity theft. Many standalone identity theft prevention products have Get your fi rst month of protection for $1 when you sign evolved to include a comprehensive range of services up at www.identitysecure.com/hub including online monitoring of personal information in addition to insurance coverage and restoration support services in the event of a loss.

To better equip you to evaluate these products, refer to the “Shopper’s Guide to Identity Theft Protection” in this white paper. When evaluating products, be sure to ask about the security of the provider’s system infrastructure where your personal information will be stored. An ISO certiﬁ cation for information security is highly recommended.

about other valuable resources... Privacy Rights Clearinghouse. More information, statistics and helpful tips www.privacyrights.org

Federal Trade Commission. Tools to combat identity theft and information on how to ﬁ le an FTC identity theft complaint. www.ftc.gov

Internet Crime Complaint Center (IC3). Tips on preventing cyber crime, including identity theft, auction fraud, phishing/spooﬁ ng and dealing with spam. www. ic3.gov

Health Insurance Portability and Accountability Act (HIPAA). Information about HIPPA, procedures and fees from insurers and providers. http://www.cms.hhs.gov/ hipaaGenInfo

9 Shopper’s Guide to Identity Theft Protection Products

If you are considering an identity theft prevention product, look for a comprehensive range of services that provide preventive, detection and restoration services. The following guide explains the various services available and what to look for when comparing products.

Service What it Does Why Consider it Prevention Internet Fraud Monitoring & Web-crawling technology monitors chat Provides an early warning of potential Alerts rooms, websites & blogs where stolen compromises to your credit/debit card data is traded and alerts you if your information. Look for a product that credit card numbers and Social Security provides 24/7 real time alerts by phone number is found. or email. Placement & Renewal of Fraud alerts warn potential creditors You can place a fraud alert on your own. Fraud Alerts that they must verify your identity before Under federal law, there is no charge for issuing credit in your name. Fraud alerts you to place a fraud alert with the three may help prevent thieves from opening credit bureaus for an initial (90 day) or a new account in your name but it will extended (7 year) term. Some identity not prevent misuse of your existing theft products offer to perform this accounts. service for you. Placement of Credit Freeze Enables you to restrict access to your In many states, credit freezes are free credit report. Potential creditors and for identity theft victims; otherwise the businesses can’t access your information charge is about $10 per credit reporting which makes it more difﬁ cult for thieves company. This service is included in to open a new account in your name. some identity theft products. Credit freezes do not prevent misuse of your existing accounts. Removal from pre-screened Removes your name from pre-screened To opt out of many pre-sceened credit credit offers offers which reduces opportunities for offers simply call 1-888-OPTOUT or go thieves to steal this information from your to optoutprescreen.com. This service is mailbox or trash. free and already available to you. Detection Triple Credit Report Credit reports from 3 bureaus: Experian, Monitoring your credit reports on a Equifax and Transunion. Availability regular basis is one of the best ways to of reports may be every 90 days to manage your credit and discover if your unlimited access, depending on product identity has been stolen. purchased. Triple Credit Scores Credit scores from all three bureaus: Your credit scores are an indicator of Experian, Equifax and Transunion your ﬁ nancial health and the risk that you pose to lenders. Combined with your credit reports, you’ll get a complete picture of your credit strength.

10 Service What it Does Why Consider it Triple Credit Monitoring & Monitors all three credit bureau reports Provides early detection of suspicious Alerts and alerts you when a new account is activity. Look for a product that offers opened (or queried) in your name. daily monitoring services and provides 24/7 real time alerts by phone or email. Credit Report Specialists FRCA certiﬁ ed specialists who answer Get answers to questions about your Available questions and explain fraud alerts. credit report.

Restoration Identity Theft Insurance Guaranteed issue coverage. Most The cost to recover from identity theft policies cover legal expenses, lost may exceed your actual monetary loss. wages, and expenses related to Read the coverage terms, conditions recovering from identity theft while others and exclusions. may also reimburse for the actual loss. Coverage limits typically range from $10,000 - $25,000.

Identity Restoration Support Caseworker will assist you in the If full recovery services are purchased, recovery process. Services can range you will need to sign a limited power of from personalized, step-by-step attorney which enables the company instructions to having the caseworker do to act on your behalf with creditors and the actual recovery work for you. credit bureaus. Other Services Credit Card Registration Services may include secure online Makes reporting process quicker and card and document registration and easier in the event of a breech 800-number to report lost/stolen cards. Emergency cash or pre-paid Emergency cash is charged as a cash If you are a frequent traveler, this option airline ticket advance on a designated bank card and may provide some peace of mind. Check airline ticket is charged as a purchase to the ﬁ ne print. your credit card account. Service Guarantee or Due to a failure of their service, company These “guarantees” are not a Warranty may pledge to pay up to $1-$2 million to replacement for insurance coverage. help you recover. Read the ﬁ ne print carefully.

11 12 Identity Theft and Cyber Security Checklist

Identity theft is a risk that continues to grow and change daily. Due to the many forms identity theft can take, including medical, credit, and ﬁ nancial, the threat remains prevalent and affects millions of people per year. Keeping up-to-date with the latest prevention methods is the surest way to protect your assets and identity. Here are a number of steps you can take to reduce the risk of identity theft happening to you.

1. Reduce access to your personal information If asked for your Social Security number, be sure to inquire why it is needed and how it will be protected. If you are applying for a credit card or insurance, you will typically be required to provide your Social Security number so the provider can pull your credit report. When asked for this information by your doctor’s ofﬁ ce, you should insist that the information on your insurance card is sufﬁ cient. Do not provide your Social Security number to online job websites or over the phone. Do not carry your Social Security card in your wallet.

Do not share personal information on social media sites or online proﬁ les. Do not post your home address, birth date, phone number, relationship status or information about your children. This information makes it easier for identity thieves to gather information about you. Customize the privacy settings on your online proﬁ le so it is not accessible to anyone. For more information, read “Social Media Safety Checklist” from HUB International. Avoid online games or quizzes that require you to provide personal information.

2. Eliminate unwanted credit solicitations. Take the following preventive steps: Contact 888-567-8688 and opt out of pre-screened credit card applications. Register for the National Do Not Call Registry that gives you a choice about whether to receive telemarketing calls at home. Go to https://www.donotcall.gov/register/reg.aspx, ﬁ ll out the form and submit. Contact DMA Opt-Out Preference Service to limit direct marketing efforts: www.dmachoice.org. Ask your credit card companies to cease sending convenience checks.

3. Do not respond to emails requesting personal information. “Phishing” is a technique used by criminals to solicit your personal data by sending what appears to be a legitimate email request from a recognized source, including banks, credit card companies or social networking sites. Be suspicious of any email that asks for sensitive personal information, even if the sender is familiar to you. Avoid ﬁ lling out forms contained in an email message or pop-ups, even if it appears to be from a company that you do business with. If you receive an email from what appears to be your bank or credit card company, call them to conﬁ rm – and use the telephone number on your bank or credit card statement, NOT the one in the “phishing” email. Emails with misspellings or poor grammar are usually a good indication that the sender is a fraud.

4. Buy a shredder that cuts your paper into confetti Thieves use discarded information to collect personal data on victims. A paper shredder reduces the potential for “dumpster diving” thieves to obtain your personal data from the following sources: Credit applications Expired credit cards Bank and credit card statements Renewal forms that contain personal data Unwanted and unused convenience checks Identity Theft and Cyber Security Checklist

5. Use ATM machines cautiously. The ATM Industry Association reports over $1 billion in annual global losses from credit card fraud and electronic crime associated with ATMs.17 Security experts recommend that you use ATMs at banks and avoid portable ATM machines, which may be more susceptible to tampering. Regardless of location, watch for “shoulder surﬁ ng.” Change locations if you are suspicious of people, the surroundings, or the machine itself.

6. Use credit cards instead of debit cards for large purchases and online shopping. By federal law, credit card companies have strong consumer protection and fraud investigators to help you. Making purchases by credit card gives you an extra layer of protection.

7. Maintain a list of credit card issuers and phone numbers Make a phone list of your credit card issuers and store in a safe place. If your card(s) are lost or stolen, these phone numbers will enable you to contact the card issuer quickly, minimizing your liability.

8. Monitor your ﬁ nancial records Review your credit card and bank statements each month. Refute any unauthorized charges within 30-60 days. Call your bank or credit card company immediately if you see any activity that could be fraudulent. Use passwords that are not easily guessed. Do not share passwords with anyone. Purchase virus, adware and ﬁ rewall protection for your computers. If you have a wireless network, make certain that access is encrypted. Warn your children of the dangers of the Internet including stalking, spyware, viruses and other potential threats.

9. Keep Track of insurance cards Guard your insurance card as you would your credit or ATM cards. Never give your medical information over the phone or lend your card to a friend. Medicare recipients need to be extremely careful as their Social Security numbers are printed on their Medicare cards.

10. Monitor your medical statements If your health plan offers an online portal to monitor your benefi ts, sign up for a password-protected account and keep track of all usage of your health benefi ts. If your insurer does not offer online access, ask for a summary of claims submitted under your name. Thieves may redirect your Explanation of Benefi ts (EOB) form to a fake address, making it more diffi cult for you to identify a breach. Every time you receive an EOB from your health insurance company, check it carefully. If you see incorrect group numbers, names of medical facilities you don’t recognize, or treatments you don’t recall receiving, contact your health plan immediately.

11. Monitor your medical records Request a copy of your medical records from your physician(s) and keep in a secure place. If your medical identity is stolen and your medical records are altered, you’ll have documentation to prove who you are when you report the fraud. It will also make it easier for you to prove the fraud and correct your medical records.

12. Review Social Security Beneﬁ ts Review your Social Security statement to identify attempts to use your identity to seek employment. Contact 800-772-1213 to request earnings and beneﬁ t statements or request the information via the Internet at www.ssa.gov.

13. Check your credit report regularly You can get a free annual copy of your report from all three credit reporting agencies at www.annualcreditreport.com. Experts recommend that you check your credit report at least every 90 days.

For more information, contact your HUB International Personal Insurance advisor.

This information is provided for general information purposes only. It does not constitute professional advice and does not create a broker-client relationship. Please consult a HUB advisor about your speciﬁ c needs before taking any action.

www.hubinternational.com Sources 1. “2010 Identity Fraud Survey Report: Identity Fraud 10. Telephone interview with Matthew Cullina, Identity Continues to Rise – New Accounts Fraud Drives Theft 911, 2009 Increase; Consumer Costs at an All-Time Low”, Javelin Strategy and Research, February 2010. 11. “Portrait of a Fraud Victim: Affl uent Suburbans Most At Risk for Identity Theft”, Market Insight Snapshot, 2. “FTC Issues Final Rules on FACTA Identity Theft Experian, January 27, 2010 Defi nitions, Active Duty Alert Duration, and Appropriate Proof of Identity”, Press Release, October 29, 2004. 12. “Consumer Sentinel Network Data Book for January – December 2009”, Federal Trade Commission, 3. Telephone interview with Paul Viollis, CEO Risk February 2010. Strategies Consulting, 2009 13. “2010 Identity Fraud Survey Report: Identity 4. “Information Week exposes the Internet Underworld,” Fraud Continues to Rise – New Accounts Fraud Drives Bloggernews.net, February 12, 2007 Increase; Consumer Costs at an All-Time Low”, Javelin Strategy and Research, February 2010. 5. “Emerging Cyber Threats Report for 2009,” Georgia Tech Information Security Center 14. Interview with Tom Rusin, Affi nion Security Center, 2009. 6. Ibid 15. Telephone interview with Peter Spicer, Chubb 7. “Cyber Scams on the Uptick in Downturn,” Wall Personal Insurance, 2009 Street Journal, January 2009 16. “Identity Theft: The Aftermath 2008,” Identity Theft 8. “Beware of Facebook Scams,” Aaron Broverman, Resource Center, May, 2009 Bankrate.com, March 25, 2009 17. “ATM Card Skimming on the Rise,” Ike Wilson, 9. “Medical Identity Theft: The Information Crime That Frederick News Post, May 27, 2009 Can Kill You,” Pam Dixon, The World Privacy Forum, Spring 2006

HUB International thanks the following resources for their contribution to this white paper. Affi nion Security Center Risk Control Strategies Tom Rusin, CEO Paul Viollis, CEO 203.956.8939 Scot Braunzell, Cyber Security Trusin@affi nion.com 212.267.6992 AIU Holdings www.riskcontrolstrategies.com Todd Triano, Vice President - Loss Prevention Insite Security, Inc. 908.679.3066 Christopher Falkenberg, President Cell: 908.399.0502 212.362.5700 CHUBB [email protected] Peter D. Spicer, Communications Manager, Identity Theft 911 Chubb Personal Insurance Matthew Cullina, CEO 908.572.2843 480.355.8500 [email protected] [email protected] Fireman’s Fund Donald E. Soss, Chief Underwriting Offi cer Personal Lines 415.899.2000

For more information about cyber security risks and insurance solutions, contact James Kane, President, HUB International Personal Insurance at [email protected], or your HUB International Personal Insurance advisor.

15 HUB International Limited Headquartered in Chicago, HUB International is a leading North American insurance brokerage that provides a broad array of property and casualty, reinsurance, life and health, employee beneﬁ ts, investment and risk management products and services through over 200 ofﬁ ces across the United States and Canada.

HUB Personal Insurance HUB International Personal Insurance, a specialized practice within HUB International, is dedicated exclusively to serving individuals and their advisors. As one of the largest and most sophisticated personal insurance practices in North America, HUB provides detailed guidance to help protect everything from family members, homes, autos, and treasured belongings.

HUB Private Client Advisors is a leading resource for high net worth individuals and their advisors providing risk management solutions for their unique needs. For more information, visit www.hubfamilyofﬁ ce.com

This information is provided for generation information purposes only. HUB International makes no warranties, express, implied or statutory, as to the adequacy, timeliness, completeness or accuracy of information in this document. This document does not constitute advice and does not create a broker-client relationship. Please consult a Hub International advisor about your speciﬁ c needs before taking any action. Statements concerning legal matters should be understood to be general observations and should not be relied upon as legal advice, which we are not authorized to provide.