It’s National Cyber Security Awareness Month (NCSAM), and we at the National Cyber Security Alliance (NCSA) are excited to kick off this monthlong initiative dedicated to empowering internet users to be safer, more secure and better protect their personal information online. This first week of NCSAM, we’re highlighting STOP. THINK. CONNECT.™ and simple steps to online safety.
One of the top consumer online safety concerns is identity theft, a crime that involves the unauthorized use of victims’ personal information, like credit and banking data and Social Security numbers. Identity theft is often in the news as cyber threats like the recent Equifax breach make headlines and can have devastating consequences for those who fall victim to it, and there is one group we may want to pay especially close attention to protecting from this crime – children.
I recently had the opportunity to talk with Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC), about the issue of child identity theft; the ITRC has just released its 2017 Identity Theft: The Aftermath report, which shares insight into the complex issue of identity theft and the difficulties it creates for victims, families and communities, this month. In this discussion, Eva highlighted how and why criminals go after children’s information, the impact of children’s information being compromised and what parents can do to protect their children’s identities and recover from an incident.
MICHAEL KAISER: NCSA has found that identity theft continues to be a top concern for consumers. How big of an issue is child identity theft?
EVA VELASQUEZ: Unfortunately, child identity theft is underreported and often goes undetected for long periods of time, making it very difficult to capture the true scope of the problem. Overall, identity theft incidents continue to affect tens of millions of individuals yearly, and the numbers continue to rise year after year. In the case of children, they are assigned identity credentials at birth, and their data is just as valuable, if not more valuable, than adult identity credentials.
MK: Why do identity thieves go after children’s identities in particular? Why would children’s personal information be valuable to criminals?
EV: Thieves often find ways to target entities that they know house personal information belonging to children. These targets could include schools, certain government agencies (including foster care) and medical entities. Thieves think of these identity credentials as a clean slate, and they are right. Criminals can use children’s information to build profiles, which can then be monetized in a variety of ways. Additionally, minors younger than 18 are not viewing their credit reports or identifying information in the same manner as adults, so detection becomes even more difficult. In many cases, an adult discovers an identity theft incident when it puts a roadblock in front of them, like attempting to buy a home or car or applying for credit, job, or housing. Children are not taking these actions, and therefore they are not discovering their identities have been stolen until later in life. Child identity theft allows thieves to use their victims’ information for longer periods of time, leaving even more devastation in their wake.
MK: If a child’s identity is stolen, what are the potential impacts on them?
EV: If we consider how hard it is to launch into adulthood, then add a significant roadblock like identity theft on top of that, we can get some idea of the impact. Consider an individual who is nearing the age of 18 and has dreams of a college education: if they discover they are a victim while applying for student aid or loans, they will have to clean up this mess before they can move forward and pursue those educational opportunities. In some cases, this can result in postponing their education for a semester, or even a year, which puts them permanently behind their peers. They will never get that time back. How do we measure the impact of that kind of lost opportunity?
MK: What – if any – warning signs should parents keep an eye out for when it comes to potential loss of their children’s identities?
EV: Parents should certainly pay attention to any data breach notifications or publicity regarding institutions they do business with or have a relationship with. In the case of the Anthem breach, for example, dependent information was compromised. Parents should also keep an eye out for incoming communications addressed to their children that feel odd or inappropriate, such as collection notices, explanations of benefits for medical services that were not received or even jury summons – these are things that children should not be receiving and parents need to follow up on immediately. Lastly, there are some options for parents regarding placing a credit/security freeze on the credit profiles of their minor children, but the process and availability varies from state to state. To see what those options are in your state, check out the ITRC’s state resource guide.
MK: With the proliferation of new connected devices at home, at school and on the go, where might children’s data be collected and stored that parents might not think of?
EV: We are all creating hundreds of data points daily, and that number increases the more you engage, particularly online or through connected devices. Of course, we know that schools have our children’s information, but what about extracurricular programs, medical and dental providers and even social media accounts? Parents and relatives are even creating social media pages for their unborn children and using the ultrasound pictures for their profiles. What we might not realize is that we are building up a treasure trove of information that can be mined, crunched and profiled – even before a child is born. Even when we are trying to protect our children we can overlook the long-term dangers to their identities. Consider child fingerprint and safety kits, which are devised to help us in the critical cases of missing children: these kits can be useful tools, but companies or organizations that encourage you to digitize your children’s fingerprints and carry them on your keychain via a USB drive are dangerous. Once that information is lost, it’s compromised forever; besides, law enforcement will confirm they do not need a child’s digital fingerprints to launch an effective search campaign. They will need physical descriptions and recent photographs, but fingerprints can be kept in a secure location at home and don’t need to be carried with you everywhere you go.
MK: What proactive steps can parents take to protect their children’s identities?
EV: Simply being aware of the value of your child’s identity credentials is a great first step. We protect kids physically by teaching them how to safely cross the street and not talk to strangers. We need to incorporate safely navigating online, using smart devices and sharing information as part of that safety routine as well. In essence, it’s still teaching them not to talk to strangers, just in a completely different context. The ITRC offers fact sheets and solutions, all at no cost to the public. Parents who want more information can find it on the ITRC website.
MK: What should someone do if they think their child’s information has been lost in a data breach or their child’s identity has been stolen?
EV: These are different experiences that require different remediation processes. If a child’s information is compromised in a data breach, parents need to understand exactly what data was compromised. Things like a Social Security number breach require parents to remain vigilant in protecting their child’s identity, particularly (nonexistent) credit profiles, and follow the steps listed. When a child’s identity is actually used to secure goods or services, parents need to begin the remediation process, which is more arduous when minors are involved. See the ITRC Fact sheet for the preliminary steps to take.
MK: In research we did with Microsoft last year, teens indicated that preventing identity theft was one of the top online safety topics they wanted to learn more about. What advice do you have for today’s connected teens and young adults to help them get engaged and involved in protecting their identities and personal information?
EV: The fact that younger generations realize this is an issue and take it seriously is a big step in the right direction. Teens need to learn a healthy respect for their own privacy and not overshare (self-compromise) their own important data. We often see unintended compromises, such as a teen taking a picture of their driver’s license when they first receive it and posting it to social media to immortalize a landmark event. A child may not realize how sensitive this information is or what someone with the right technical skills can do with that photo. Engaging with organizations that help them know how to protect themselves, such as the ITRC and NCSA, is also a great start that allows them to participate in social media in a healthy way, while getting a dose of education at the same time.
Check out the Identity Theft: The Aftermath report for more findings and insights from the study. Follow #CyberAware all October long on social media for online safety news, tips and resources to use this NCSAM and to join the conversation. For tips on how you can be safer online and protect your personal information, visit staysafeonline.org – and follow us on Facebook and Twitter for year-round cybersecurity advice and news.