By Allyn Hughes, CFP®, ChFC®, CLU®, CAP®
My wife and I recently moved and got a home mortgage. The process of getting this mortgage was smooth, although it required an impressive amount of paperwork.
Our home purchase closed on December 18th of last year. As part of the transition from our old house to our new one, we prepaid the January payment on our new mortgage, so no payment was due then.
By the time we made our first payment on February 1st, we received a notice that our 15-year mortgage loan had been sold into the secondary market and the loan originator, Flagstar Bank, no longer owned it. They did keep the servicing of this loan, however, so they continue to accept our payments and send us monthly mortgage statements.
Before we received our third mortgage payment statement on April 1st, we received another letter from Flagstar. The letter informed us that one of their vendors, Accellion, had “a vulnerability that was exploited by an unauthorized party.” It went on to say that this party now had access to our names, account number and Social Security numbers.
My identity had been stolen again. More importantly, I really don’t know how it was done.
Eight or nine years ago my identity was stolen and someone filed a bogus tax return (eligible for a big tax refund) in my name. When I went to file my taxes that year, the IRS did not accept my electronic tax return because another return had already been processed. I spent about a month working with local police departments and credit bureaus to inform them of this theft and to lock down access to my credit and personal information.
This seemed to work pretty well until I got this new home loan.
Flagstar’s letter went on to say that “out of an abundance of caution we have secured the services of Kroll to provide identity monitoring at no cost to you for two years.” Their estimate of the value of my Social Security number either to me or to another party is the cost of 24 months of credit monitoring which was likely purchased at a wholesale rate. Kroll is part of Duff and Phelps and they must specialize in providing credit monitoring services to the many companies that have allowed their customers’ records to be taken from them.
In 1999, the Gramm–Leach–Bliley Act Financial Services Modernization Act was passed by congress and signed into law by Bill Clinton. This act created the first requirements for companies to protect the personal information of their clients and customers. Since then, states have passed more than 47 laws to try to protect personal information.
Even with all of these laws, as far as I can tell, Flagstar won’t have to pay any penalties, or repay the expenses of their customers whose personal information has been taken. It is my guess that no one will be fired and there will be no long-term consequences from this error. In a few months, it will just fade away.
What if America treated identify theft differently? What if Congress enacted legislation to help protect consumers from identify theft by financial institutions? Here are some provisions that I would like to see in a bill:
- The company that has been hacked must inform all customers who had their data stolen no later than one week after the hack has been identified.
- The hacked company must pay $1,000 to each customer whose personal information (like Social Security number) was stolen. This payment is to pay for the time and effort required to report this to local police departments and credit reporting agencies.
- If the customer already uses a credit monitoring service, the company must pay for this service for three years from the date of the identity theft.
- For the next three years the company must include a sentence at the top of all marketing programs and client communications – including corporate and product-based web sites – that the company has had a data breach, so current customers who were unaffected by the hack – and new potential clients – can determine whether to work with the firm.
- For banks and mortgage companies that make loans, prospective borrowers will be required to sign a form which acknowledges that the lender has been hacked in the past and has failed to secure important client information.
- The hack will be audited by an independent third party at the firm’s expense. If the firm is found to be negligent, then clients will be able to sue the company in the state that they live in, either as a class or in small-claims court.
Hopefully, a consumer rights organization can begin to work on a consumer identity theft bill. Until then, the most personal information of U.S. consumers will be at risk.