Archive for October, 2017

Equifax and the other credit bureaus are trying to convince consumers to put “credit locks” on their credit files instead of credit freezes. Credit locks are – I think – a really bad, bad idea. Why?

  1. Why would you trust anything a company tells you that did not encrypt a database with 145 MILLION records in it? Former Equifax CEO Smith testified yesterday at the House of Representatives that Equifax has a poor record of encrypting data. To read the latest about the EquiMess, click on Wired‘s “6 Fresh Horrors From the Equifax CEO’s Congressional Hearing.” Talk about dancing on the head of a pin!
  2. The credit bureaus claim a lock is “free” and simple to use through an app on your phone … the problem is that nothing is free, and again, why would anyone trust them? They’re selling your information somehow to pay for that lock.
  3. What’s the difference between a lock and a freeze? Well, nobody seems to know. While credit freezes have a cost to set up and remove (which varies from state to state), they’re regulated by state and federal law. When you sign up for a freeze, you do not have to agree to arbitrary credit bureau terms and conditions (such as giving up your right to sue or participate in class-action law suits).

More on credit freezes vs credit locks: “Myths vs. facts: Sorting out confusion surrounding Equifax breach, credit freezes.”

I have been doing a lot of thinking about Equifax. You can point fingers and say … well, you can say all kinds of things. Equifax should have patched faster, they should have notified faster, they should have been more organized about their response, they should have spent more money on security … While every one of those statements are true, they do not resolve the problem of breach response. They will not prevent future breaches. They do not make us safer.

What is  going to make us safer?

What have we learned from all these breaches? What will keep our information safe going forward? That is what really matters. What happened in the past only matters if we learned something from it (unless you are an attorney running a class-action lawsuit or, God forbid, your identity was stolen).


Should the US implement regulations like the European Union’s General Data Protection Regulation (GDPR)? Will more regulation make us safer?

There’s no doubt we need better regulations and oversight, especially on data brokers. There are more than 2500 data brokers in this country; your information is their product. For the most part, you cannot opt out and you cannot control what data brokers do with it. And if your file contains errors, chances are you will not be able to correct those errors. For an interesting overview of data brokers, read Privacy Rights Clearinghouse’s article “Data Brokers and ‘People Search’ Sites.”

Won’t automation or lots of expensive tools keep us safer?

Part of the problem is that big companies in particular want to throw technological solutions at data security. Maybe technological solutions make the board feel safer. Maybe they cannot find personnel. Maybe it is because people are expensive.

Layers of security

When an organization gets breached because they did not patch or no one was paying attention to alerts, management may be surprised because they thought spending money on expensive tools would save them from breaches.  The vendors say it was not their fault because the tools were not correctly implemented. The staff says they did not get training or they were testing it or it does not work the way it is supposed to or there were too many extraneous alerts.

Organizations need tools, but their focus should be on the basics. Organizations should know how their data flows: how it comes in, where it goes internally, and when and where it leaves. Private personal information (PPI) should be encrypted whether it is moving or at rest. Organizations should know what and where their assets are. They should understand that employees are going to make mistakes and plan for them. Back up, disaster recovery, and redundant systems are necessary. Flat networks are a disaster waiting to happen: put things in security zones and implement authorization and authentication practices. Enact user training. Be careful who has administrative privileges. Practice safe passwords. Implement policies and procedures and physical security.

Security people know these layers; management should know and understand them also.

Today is the kickoff for the 14th annual National Cyber Security Awareness Month. Do your part to protect your own and other people’s information. For tips, visit

I belong to a neighborhood social media group. Recently, there has been post after post about vehicle and mail-box break-ins in our neighborhood. While avoiding all thefts is not possible, make it more difficult for thieves and maybe they will look for an easier target.

  • Keep your house and vehicle locked at all times.
  • Don’t leave anything – especially electronics and wallets or purses – in sight in your vehicles, remove documents with personal information – vehicle title/registration, loan paperwork, birth certificate, drivers license, passport, bills – from the vehicle.
  • Do not leave garage door openers or house keys, checks, checkbooks, or credit cards in your vehicle.
  • Keep your vehicle insurance in your wallet or purse.
  • A ring of identity thieves who broke into vehicles expressly to steal ID was busted in Dallas in April, story here:
  • Especially don’t put expensive electronics in your trunk for long periods of time when parked in your driveway. You never know who’s watching you.

Also, your car insurance may not cover your losses if your auto was stolen or vandalized when it was unlocked.

The Texas Department of Motor Vehicles has a brochure you can download about how to protect yourself somewhat from auto theft at

Furthermore, try to collect your mail every afternoon or send your important mail to a post office or UPS box. You can also sign up for Informed Delivery by USPS at – this email allows you to know if something is missing from your mailbox.