Q&A: Eva Velasquez, ITRC’s President, On Identity Theft, Online Fraud, Consumer Security Risks


Identity Theft Resource CenterPrivate WiFi recently chatted with Eva Velasquez, the President of the Identity Theft Resource Center.

Later this month, she’ll start blogging periodically for Private WiFi’s private-i blog and will be covering specific subjects such as how to protect yourself from medical identity theft to broader topics such as privacy in the digital age. Read on for insights from a security professional who has made huge contributions to helping fraud victims and protecting the general public.

Q: Thanks so much for taking time to chat with us about your new role at the Identity Theft Resource Center! You joined as President about seven months ago and previously worked at the San Diego Better Business Bureau and spent two decades at the San Diego District Attorney’s Office. Given that impressive background protecting consumers, what were some of your first projects that you wanted to tackle as ITRC President?

A: After reviewing the incidents of service for the ITRC I was impressed at the volume of assistance a team of this size is able to provide. Once I truly understood the scope of the problem — almost 12 million individuals victimized by identity theft last year — I realized that there are still many, many victims that do not know where to turn. Based upon a recent ITRC survey, we realized that over 70% of the victims we assist are low- to moderate-income individuals. These are the people who need our assistance the most! Our goal is that there will be no victims of identity theft left to fend for themselves. We want to ensure that all the people who need our help are aware of our services.

Q: The ITRC’s work has always been exceptional, but given your specific background investigating e-crimes, I’m excited at the potential reach you will have for identity theft victims to make sure they are aware of their rights and resources. What sort of outreach campaigns do you find are the most effective?

A: The ITRC is making targeted communication campaigns to both specific segments of consumer population and we are building partnerships with organizations that focus on specific types of identity theft.

For instance, we are developing targeted programs for foster youth, LMI individuals, and law enforcement agencies that investigate identity theft. We have also put resources towards the communication regarding Medical Identity Theft, as this type of identity theft grew by 25% last year, yet few consumers are aware of the problem, much less the steps they should take to minimize their risk.

Lastly, we realize that building awareness in the general consumer population — BEFORE consumers become victims — is key. By sharing our best practices and tips we hope to not only help people minimize their risk, but also know where to turn if they do in fact become victims. The ITRC’s appearance on “The Ricki Lake Show” in April, and in MORE magazine this month, are evidence of these efforts.

Q: You recently tweeted about protecting foster kids’ Social Security numbers. That’s a topic that’s very important to me, and in fact, I interviewed U.S. Representative Langevin once because he’s a big advocate of keeping foster kids from getting victimized any further while their paperwork is shuffled through the system. He told me he would continue to push for the other measures included in his Foster Youth Financial Security Act, which would end the use of Social Security numbers as an identifier for foster children. Why do you think foster kids are more likely to be victimized?

A: Everyone is vulnerable to identity theft, even children. However, children in the foster system do not necessarily have a parental advocate checking on the well-being of their personally identifying information. Additionally, because many, many of the systems in place to assist foster youth do not use the same tracking platform, or having platforms that interface with each other, the PII for these kids is written down, passed around, sent through the mail, email, etc., over and over. Each time your PII is released from your control, you create an opportunity for the information to be compromised. The sheer number of times that their information is put out there creates a higher risk.

Q: What else can you recommend to parents – biological, foster, adoptive – to help limit exposure of their kids’ Social Security numbers, protect their untarnished credit scores, and shield their sensitive information, especially online?

A: Simply being aware that you should not share the personally identifying information of your child unless you absolutely have to, is the first step. While this includes Social Security numbers for sure, it also includes State ID numbers, medical insurance information, military dependent information, etc.

Once parents are aware that they should protect this information for both themselves and their children, they need to take the next step and TALK TO THEIR KIDS about it. Start when they are young. Once kids enter the pre-teen and teen years, their online activity is ubiquitous. It does not help to minimize your risk if you are aware of the need to not give out your child’s SSN online, but your teen is not. They could fall victim to a phishing or smishing scam and unwittingly give away their information because you haven’t passed on the knowledge to them.

Q: But in a real-world situation — enrolling in school or at a pediatrician’s office — how can parents confidently decline providing a Social Security number without too much headache? Any quotes or pep talks for parents who might just cave under the pressure?

A: The real-world facts are that sometimes you will have to make a choice between releasing the information or not using the services. There are legitimate reasons why some providers, such a doctors, dentists, schools, banks, or credit unions would need this information to identify you or your child. Parents should ask if providing a Social Security number is absolutely critical to use the services requested.

In the case of a medical provider, the parent may decide that they need to use that provider. In this instance parents should then move on the question, “Now that I have given you this sensitive information, what safeguards to have in place to ensure it isn’t compromised.” If it’s a hard copy file, are the files stored in a locked/secured area when not in use? Are there only certain staff members who have access to the sensitive information or does all staff have access? In the case of electronic files, the question still apply. How is your network secured? Which employees have access to what information and why? Are employees trained in how to handle this information? Do you have policies in place to keep disgruntled employee activity to a minimum, such as terminating system access immediately upon a change in employee status/relationship?

If it’s a question of an after-school event, program, or sports league, and you are told your child cannot participate unless the sensitive info is provided, however you are not comfortable with the level of safeguards in place, parents will need to weigh the risk against the disappointment of their child and make a decision accordingly.

Q: What’s your opinion of people over-sharing on social media and Facebook posts when it comes to identity theft risks?

A: Once again, the more information you make readily available to identity thieves the easier you make it for them to victimize you. While there is much information that is public record, by sharing all of it in one handy place — like your social media accounts — you have just made it easier for thieves to take this readily available information and discover your PII by social engineering if they so desire. This is particularly true of public figures and those that are attractive targets for thieves.

Q: What are your thoughts about people logging on in WiFi hotspots without a personal VPN? It seems easier than ever for hackers to steal sensitive information, so what suggestions do you have for raising awareness on the importance of encryption in public wireless hotspots?

A: The absolute best practice is to simply never use a public WiFi hotspot without using a VPN. It is the single best way to minimize your risk. Individuals can certainly monitor their own usage and ensure that when they are using public WiFi hotspots that they do not engage in an activity — such as shopping, banking, or logging into email — that could compromise their PII. This is certainly a good step, however it does open you up to simply forgetting, and thinking – ooops! I forgot to make my car payment – might as well do that now before I forget – and now you’ve put the information out there.

Q: Do you think, generally, that our lawmakers really understand the depth and breadth of consumer fraud and identity theft crimes? For example, I don’t even think most Senators and Representatives use a personal VPN while working on their mobile devices on Capitol Hill!

A: It is human nature to think, “That will never happen to me.” While I have no concrete evidence of this, I am certain that there are folks in privacy professions who are not as diligent as they know they should be, because they have not yet been victimized. Generally it takes an identifiable act that causes harm to make people have significant changes in behavior.

It is up to consumer-protection professionals to continue to educate the general public about the risks, tell the stories of those who have been victimized, and be a catalyst for change. I would apply this principle to our lawmakers as well. Some truly understand the magnitude of the problem, while others have not been exposed to it in a meaningful enough way to cause a significant shift in their thinking.

Q: You recently tweeted about Washington State becoming the 9th state in the country to sign a bill into law that would protect employees’ social media accounts from their employers. Why is this important?

A: This is important because it protects the consumer’s privacy. The states that have enacted these laws are making it illegal for employers to demand passwords to employees’ social networking accounts or to have employees log in to social networks to view private information. While we always warn the public that they must be careful about what they post online, it is good to see government agencies taking the side of consumer privacy. The issue of privacy in the new age of social media morphs daily and there is constantly a new battle to define privacy rights, but we believe laws protecting individuals’ online privacy are important.

Q: Your job seems incredibly complex. How do you keep all of the threats – against foster kids, against the elderly, against job-seekers, against taxpayers, well, against pretty much any person, really – from totally getting you down?

A: I have spent my entire career serving the public good. During my days in law enforcement it was hard to believe that there were any honest people out there because I was constantly exposed to all the liars, cheats, and con-men. But I was also exposed to the victims, witnesses, and other people involved in the process of catching the bad guy and helping to make the victims whole. Every time I speak in the community, talk to victims and consumers, and they tell me, “Thank goodness the ITRC is here. Thank you for helping me,” that invigorates me, and I am so grateful to have the opportunity to make the world a better place.


Get Private Wifi   Protect your personal information.
Get DataCompress   Cut your mobile data usage.

Elaine Rigoli

Elaine Rigoli is PRIVATE WiFi's manager of digital content strategy.