Protect against ID theft, before and after your information is stolen
In a world where major data breaches seem occur once every few months, chances are quite high that your personal information will be (or has already been!) stolen. That's the bad news. The good news is that it needn't be the end of the world. Here are some ways you can protect yourself, as well as how to respond if you know your information has been stolen.
But first: what does "stealing your personal information" even mean?
Identity Theft 101
Why would someone even want your personal information? What's the danger? While there are several ways a thief could use your information, the Big Three are as follows.
First: bank account and credit card fraud. If someone has access to your bank account and/or credit card number, and enough of your personal information to pass themselves off as you, then they can potentially gain access to said accounts and even open new ones. This does the most direct harm, but also has the most direct remedy (see below).
Next up is Social Security fraud. Someone with your SSN and even a little bit of personal information can potentially open new credit card and loan accounts. While this may not directly harm you -- if they don't have your bank account information, they're spending the lender's money, not yours -- it can wreak merry havoc on your credit score, which will make it very hard the next time the real you applies for a loan.
Finally: tax fraud. Technically this is a subset of Social Security fraud, but I want to call it out specifically, as (a) it comes at you differently than credit fraud, and (b) it's common enough to warrant your attention. With tax fraud, the identity thief pretends to be you when filing taxes and claims a bogus refund. Among other things, this makes it harder for Real You to file your tax return.
So there are three main avenues of attack here: someone could (a) directly steal your money, (b) ruin your credit history, or (c) prevent you from filing taxes. (That last may not sound so bad if you owe taxes, but trust me, you do not want a tax lien.) Let's look at the lines of defense for said attacks.
First and foremost: assume your information has already been stolen. Many people attempt to secure their information to keep thieves from gaining access to it in the first place, but there's only so much you can do. Your password my be secure; you may refuse to give your Social Security number to anyone who isn't a lender; you may avoid opening online accounts unless forced to. Regardless of all this, the Equifax breach last year affected approximately 44% of Americans -- and quite literally zero consumers gave them their information directly. While I would never discourage you from being as secure with your information as possible, I would encourage you to mount your defense under the assumption that your personal information is already in the hands of someone who is going to misuse it.
Use different passwords for each account. That way, if someone steals your Facebook userid & password, they can't then use it to log in to Amazon and buy two tons of creamed corn.
Set up multifactor authentication on your financial accounts. "Multifactor authentication", or MFA, simply means using something in addition to a password when logging in, like a code texted to your cell phone. Using MFA makes it an order of magnitude more difficult for someone who steals your password to use it to log in to your financial accounts. (Thankfully, many banks insist on using this, whether or not you ask for it!)
Monitor your bank and credit card accounts. Every bank and CC provider gives you convenient online access to your accounts, and personal finance software like Mint.com, You Need A Budget and Quicken provide you a central "hub" from which you can review all of your accounts at a glance. Moreover, most providers allow you to set up "alerts" so that you're texted for any transactions over a certain amount, or if your balance goes above or below a certain threshold.
Report suspicious activity immediately. If you spot bank activity that isn't you, or if your credit card is lost or stolen, immediately report this to the account provider; they'll often have a phone number or link on their website that allows you to quickly make a report. (Of course, if your credit card is lost or stolen, you should report that immediately!) According to the Fair Credit Billing Act, your maximum liability for credit card fraud is $50, or $0 if you report loss or theft before the fraudulent transaction takes place. On the debit card side, your max liability is $0 if you report before the transaction, $50 if you report within 2 business days of learning of the loss or theft, and $500 if you report less than 60 days after receiving your bank statement. That said, many providers have a "zero liability" policy; in most situations, they'll completely refund the fraudulent charges. Don't rely on that, though; keep a weather eye on your accounts, and report it the moment you see unauthorized activity!
Monitor your credit. It's true that you can get one free credit report a year from each of the three major bureaus. However, wading through a credit report is a slog (even for me, and I like this stuff!), and it doesn't even give you the benefit of a score to see if your overall credit rating is going up or down.
The good news is that there are an increasing number of free services that allow you to periodically check on your credit in a more user-friendly format. Many banks are beginning to offer this, but my favorite is Credit Karma, which connects to both Transunion and Equifax. In addition to the standard credit report, it gives you a credit score, a breakdown of the various factors that influence it and how much influence each has, and a list of recent changes. And if you're worried that using Credit Karma will itself harm your credit, fear not: it uses "soft" credit inquiries that don't affect your credit score, so you can check on your credit as much as you like. (How do they make money? Advertising: they offer credit cards and personal loans that fit your credit.)
Again, if you see an account opened that isn't you, or otherwise find an error, immediately report this. The FTC has an excellent step-by-step writeup of how to correct errors on your credit report; it basically involves informing the bureau and account provider in writing that you are disputing the claim, and providing evidence to back it up. Be careful here: use certified mail, keep copies of the documents you send, and send as much evidence as possible. Generally speaking, the problem will be resolved within 30 days, after which the bureau will notify the other two credit reporting agencies and will send you the outcome in writing along with an updated credit report. However, the bureaus are bureaucracies -- you'll want to have backup in case your protest gets lost in the machine.
For extra credit protection, you may consider "freezing" your credit. This prevents lenders from accessing your credit report entirely; effectively, any requests to open new accounts will be denied. You'll still be able to use e.g. Credit Karma, assuming you've already got an account; you just won't be able to open a new account. (Note: as of September 2018, this is free by federal law.) It's up to you to decide whether this is worth it; you're trading the hassle of freezing and unfreezing for the potential hassle of disputing a credit report error. And note that this only protects against credit fraud; this does not protect from theft via direct access to your bank or credit card account, nor does it help with tax fraud. Speaking of which:
File your taxes early. The best way to avoid tax fraud is to beat the fraudster to the punch: if you file your taxes before they do, you win. That said, if the IRS responds to your return with a letter saying that someone has already filed in your name, you can generally straighten that out with a phone call (they'll provide you a number to call in the letter). The IRS is a bureaucracy to end all bureaucracies, so you may spend a lot of time on hold, but you'll be able to sort things out. See the IRS guide to tax ID fraud for further details.
If any kind of ID theft occurs, report it to the FTC and credit bureaus immediately. Whether it's social security fraud, account fraud, tax fraud, or something else entirely, if someone has stolen any of your information, immediately report it to the FTC and a credit bureau. The FTC will help you put together a recovery plan as well as an ID theft report that it and other enforcement agencies can use to investigate the theft. The credit bureau will place a fraud alert on your account. (It doesn't matter which bureau you contact -- they're each required to notify the other two.) This alert lasts for 90 days (and can be renewed if you wish), and will force any lenders to take extra steps to verify your identity before they can open a new account for you. Also, if you report ID theft, you're allowed to get a free copy of your credit report from each of the three companies, though it generally won't tell you anything you wouldn't learn from Credit Karma.
Generally speaking, if you're the victim of a data breach, the company in question will offer free credit monitoring. While this should never replace using e.g. Credit Karma to monitor your credit, it's an excellent supplement and always worth taking advantage of, as they will instantly and proactively inform you of any updates on your credit report, allowing you to move that much more swiftly in the event of ID fraud.
As always, these articles are "80/80" -- appropriate for 80% of my audience, 80% of the time. If you have an interesting situation, question, or idea, don't hesitate to leave a comment or send an e-mail!