News broke last week of a massive breach at Equifax, one of the big-three credit ratings agencies. Much of the commentary has focused on the company’s handling of the incident and the scale of the breach, an estimated 143 million people.
You’re likely one of those 143 million affected, and the information breached is as sensitive as it gets –full legal name, addresses, social security numbers, the works. Setting aside for a moment the scale of the breach, this incident drives home a crucial point – you can’t depend on third parties to protect your personal information.
Many companies and organizations are diligent and effective at protecting your personal information, but as the news of last week clearly demonstrates, that isn’t true for all the organizations.
So, let’s assume for a moment that your identifying information is thoroughly compromised. What should you do next?

Freeze Your Credit

The primary targets for identity thieves are financial – opening new accounts in the name of their victim or modifying existing accounts to steal money. Freezing your credit locks down your credit so that only your existing creditors or government agencies with a subpoena can access your credit report, which effectively makes it impossible to open new accounts in your name.
To do this, you need to contact each of the agencies through their website or a phone call and initiate the freeze. They’ll put the freeze in place and issue a PIN you’ll need to “thaw” the freeze when you want to open a new account in the future.
Now, this isn’t a perfect solution. There are three things to keep in mind –

  1. The reporting agencies charge a fee to freeze your credit, between $5 and $15 per agency. They may also charge a fee to thaw the freeze later.
  2. Any changes that would require a credit check will now require you to contact the credit agencies in advance to thaw your freeze before the check can proceed. You can do this for specific companies or periods of time but there’s often a delay between requesting the thaw and taking effect, so plan ahead.
  3. A credit freeze does nothing to protect your existing accounts. We’ll talk about that in a moment.

There’s one more joker in the deck. Remember that PIN you need to thaw your credit freeze? People are not very good at managing those, so naturally the agencies have processing for dealing with lost or forgotten PINs. They involve having to prove your identity to the agency – using the types of information that have been breached in the Equifax incident.
I still think this is worth doing – identity thieves are not interested in extra work, so this can easily be enough to make them move on to their next target. Just don’t think this is going to solve all your troubles.

Lock Your Social Security Number

It’s possible to lock your Social Security Number as well, following a simple process with the U.S. Citizenship and Immigration Services. This doesn’t offer a great deal of protection, as their main focus is protecting against employment reporting fraud, but it’s not a bad idea and it’s easy to do. Follow the steps on this web page to create an account and lock your number.

Watch for Tax Fraud

One of the easiest and most lucrative means of capitalizing on identity theft is to file a fraudulent tax return. The IRS is actively working on improving the situation but at the moment the best things you can do are mostly reactive. File your return as early in the filing period as possible, and watch for signs of issues – the IRS will report if they receive two returns, for example.
In that case, you can work with the IRS to prove the valid return and to protect your return in the future, but they don’t yet have anything in place for proactive protection. That’s likely to change, so keep an eye open for that in the future.

Audit Your Account Security

This is a great time to go through your open accounts and make sure they’re protected. Make a list of your financial accounts – your banks, your 401k, investment accounts, loan companies, etc.
For each account, do the following:

  1. Check that each account’s contact information is up to date and current. Make sure you have their email addresses all pointing to an account you monitor regularly – and add that email account to this list of accounts.
  2. Turn on whatever activity notifications are available, so that any changes to the account will be reported to your email.
  3. Turn on available fraud protections for the account. Most banks and credit card companies offer free monitoring.
  4. Secure your account access. Make sure the password is a strong one, and enable two-factor authentication. This is a process where logging into the account requires not only your password but something like a security code sent to your mobile phone. Do this for your primary email account, too.
  5. If the account uses security questions – “What’s your mother’s maiden name?” and the like – go through those and change your responses to incorrect but memorable Don’t use anything likely to have been breached, or that someone else could look up. Your mother’s maiden name is Smith? Then your security answer should be anything but Smith.

Monitor Your Credit

Everyone wants to sell you credit monitoring. Don’t do it – it isn’t worth the cost.
First, you probably already have free credit monitoring through one of your banks or credit cards, and if you do, by all means sign up and take advantage of it. It isn’t that credit monitoring doesn’t have value, it’s just not worth paying extra for it.
Second, get into the habit of checking your credit report on a regular basis. You’re entitled to free, detailed copies of your report every year by federal law. There are many sites set up to arrange this for you, but the only one recommended by the government directly is
Taking these steps will go a long way to protecting your information. It’s not a guarantee, but it will at minimum mean you’re not the easiest target, and that is often enough.
Next week, I’ll post an article on the steps to take in case you’re already a victim of identity theft.