 Hey, welcome back everybody. Jeff Frick here with theCUBE. We're in downtown San Francisco at Twitter's World Headquarters. It's a beautiful building. Find a reason to get up here and check it out. But they have data privacy day here today. It's an all day seminar, session, series of conversations about data privacy. And even though Scott McNeely said data privacy is dead, get over it, everyone here would beg to differ. So we're excited to have our next guest, Eva Velasquez. She's the president and CEO of ITRC. Welcome. Thank you. Thank you for having me and for covering this important topic. Absolutely. So what is ITRC? We are the Identity Theft Resource Center. And the name exactly what it is. We're a resource for the public when they have identity theft or fraud, privacy, data breach issues and need help. So that begs an interesting question. How do people usually find out that their identity has been compromised? And what is usually the first step they do take? And maybe what's the first step they should take? Well, it's interesting because there isn't one universal pathway that people discover it. It's usually a roadblock. So they're trying to move forward in their lives in some manner. Maybe trying to rent an apartment, get a new job, buy a car or a house. And during that process, they find out that there's something amiss either in a background check or their credit report. And at that point, it creates a sense of urgency because they must resolve this issue and prove to whoever they're trying to deal with that actually wasn't me. Somebody use my identity. And that's how they find out, generally speaking. So you impact their credit score or something in a way that they had no idea is how they, what usually triggers that? Right, right. Or a background check, appearing in a database. It's just when we think about how pervasive our identity is out there in the world now and how it's being used by a wide swath of different companies to do these kinds of background checks and see who we are, that's where that damage comes in. So we're talking about security and security breaches at a lot of shows. It's many hundreds of days, usually, before companies know that they've been breached or a particular breach. I think now we just assume that they're breached all the time and hopefully they've minimized damage. But on an identity theft, what do you find as kind of the average duration between the time something was compromised before somebody actually figures it out? Is there kind of an industry mean? It's really wildly inconsistent from what we see because sometimes if there is an issue, let's say that a wallet is stolen and they're on high alert, they can often discover it within a week or 10 days because they are looking for those things. But sometimes if it's a data breach that they were unaware of or they have no idea how their information was compromised and especially in the case of child identity theft, it can go on for years and years before they find out that something's amiss. Child identity theft. Now what's going on? I've never heard of child identity theft. They usually don't have credit cards. What's down to the story on child identity theft? Or is it just their PayPal account or their Snapchat account? Well, you're right. Children don't have a credit file or a credit history, but they do have a social security number and that is being issued within the first year of their life because their parents need to use it on their tax returns and other government documents. Well, because of the Social Security Administration and the credit reporting agencies, they don't interface. So if a thief gets ahold of that social security number, that first record that's created is what the credit bureaus will use. So they don't even need a legitimate name or date of birth. Obviously, the legitimate date of birth isn't going to go through those filters because it's for someone who's under 18. So kid goes all through life, maybe all through school. And as they get out and start doing things like applying for student loans, which is one of the really common ways we see it in our call center, then they come to find out, I have this whole credit history and guess what? It's a terrible credit history and they have to clean that up before they can even begin to launch into adulthood. Okay, so when people find out, what should they do? What's the right thing to do? I just get rejected on a credit application, some weird thing gets flagged. What should people do first? There's a couple of things and the first one is don't panic because we do have resources out there to help folks. One of them is the Identity Theft Resource Center. All of our services are completely free to the public. We're a charity nonprofit funded by grants, donations and sponsorships. They should also look into what they might have in their back pocket already. There are a lot of insurance policy writers for things like your homeowner's insurance, sometimes even your renter's insurance. So you might already have a benefit that you've paid for in another way. There are a lot of plans within employee benefit packages. So if you work for a company that has a reasonably robust package, you might have that help there as well. And then the other thing is if you really feel like you're overwhelmed and you don't have the time, you can always look into hiring a service provider and that's a legitimate thing to do as long as you know who you're doing business with and realize that you're going to be paying for that convenience. But there are plenty of free resources out there. And then the last one is the Federal Trade Commission. They have some wonderful remediation plans online that you can just plug in right there. And which is a great segue because you're doing a panel later today, you mentioned with the FTC around data privacy and identity theft. You know, what role does the federal government have? And what is cleaning up my identity theft? What actually happens? Well, the federal government is one of the many stakeholders in this process. And we really believe that everybody has to be involved. So that includes our government that includes industry and the individual consumers or victims themselves. So on the government end, things like frameworks for how we need to treat data, have resources available to folks, build an understanding and a culture in our country that really understands the convenience versus security conundrum. Of course, industry needs to protect and safeguard that data and be good stewards of it when people give it to them. And then individual consumers really need to pay attention and understand what choice they're making. It's their choice to make, but it should be an educated one. Right, right. And it just, the whole social security card thing is just, I find fascinating. It's always referenced as kind of the anchor data point of your identity. At the same time, you know, it's a paper card that comes after you're born. And people ask for the paper card. I mean, I got a chip on my ATM card. It just seems so archaic. The amount of times that it's asked in kind of common every day, kind of customer service engagements with your bank or whatever just seems almost humorous in the fact that this is supposed to be such an anchor point of security. Why, you know, when is the Social Security Administration or that record either gonna come up to speed or do you see is there a different identity thing with biometrics or a credit card or your fingerprint or your retina scan? I mean, I have clear, I go through the airport, I can look in my eye. Is that ever gonna change or is it just always, it's such a legacy that's so embedded in who we are that it's just, it's not going to change. It just, it seems so bizarre to me. Well, it's a classic case of we invented a tool for one purpose and then industry decided to repurpose it. So the Social Security Number was simply too entitled to social security benefits. That was the only thing it was created for. Then as we started building the credit and credit file industry, we needed an initial authenticator. And hey, look at this great thing. This is a number it's issued to one individual. We know that they have, there's some litmus tests that they have to pass in order to get one. This is a great tool, let's use it. But nobody started talking about that. And now that we're looking at things like other government benefits being offered and now credit is issued based on this number. It really kind of got away from everybody. And think about it. It used to be your military ID and you would have your Social Security Number painted on your rucksack there for the world to see. It's still on our Medicare cards. It used to be on our checks. A lot of that has changed. That's right, it was on our checks. It was, it was. So we have started shifting into this, at least the thought process of if we're going to use something as an initial authenticator, we probably should not be displaying it ready for anyone to see. And in the big conversation, you were talking about biometrics and other ways to authenticate people. That's one of the big conversations we're having right now is what is the solution? Is it a repurposing of the Social Security Number? Is it more sharing within government agencies and industry of that data so we can authenticate people through that? Is it a combination of things? And that's what we're trying to wrestle with and work out right now. But it is moving forward, albeit very, very slowly. Yeah, the two-factor authentication seems to have really taken off recently. You get the text and here's your secure code and at least it's another step that's relatively simple to execute. So. Something you are, something you have, something you know. There you go. That's kind of the standard we're really trying to push. So on the identity theft bad guys, how is their behavior changed since you've been in this business? Is it, has it changed dramatically? Is the patterns of theft pretty similar? How's that world evolving? Because generally these things are a little bit of an arm race. And oftentimes the bad guys are one step ahead of the good guys because the good guys are reacting to the last thing that the bad guys do. How do you see that world kind of changing? Well, I've been in the fraud space for over 20 years, which I hate to admit, but it's the truth. We'll talk about it. And we do look at it sort of like a treadmill and I think that's just the nature of the beast. When you think about the fact that the thieves are, you know, they're doing penetration testing and we as the good guys trying to prevent it have to be right 100% of the time. The thieves only have to be right once. They know it. They also spend an extraordinary amount of time being creative about how they're going to monetize our information. The last big wave on new types of identity theft was tax identity theft. And the federal government never really thought that that would be a thing. So when we went to online filing, there really weren't any fraud analytics. There wasn't any verification of it. So that first filing was the one that was processed. Well, fast forward to now we've started to address that it's still a huge problem in the number one type of identity theft. But if you had asked me 10 years ago, if that would be something, I don't think I would have said yes, it seems, you know, so how do you create money out of something like that? And so to me, what is moving forward is that I think we just have to be really vigilant for when we leave that door unlocked, that these are gonna push it open and burst through. And we just have to make sure we notice when it's cracked so that we can push it closed. Because that's really, I think the only way we're going to be able to address this is just to be able to detect and react much more quickly than we do now. Right, right, because they're kinda coming through, right? Exactly, they are. There's no wall, there's no wall, pick it up, right? Right, and like you said, they only have to be right once. Nothing's impenetrable. Right, crazy. All right, Eva, we're gonna leave it there and let you go off to your session, have fun at your session, and thanks for spending a few minutes with us. Thank you. All right, she's Eva Velasquez, president and CEO of the ITRC. I'm Jeff Frick, you're watching theCUBE. Catch you next time.