Identity Thieves Prey on the Deceased: 7 Steps to Protect Families Against “Ghosting”

Here are two statistics that should give pause to individuals and organizations alike: each year, approximately 2.6 million Americans die. And each year, identity thieves steal the personal information from approximately 2.5 million deceased Americans. According to Identity Theft Resource Center, identity thieves find the deceased’s personal information from hospitals, funeral homes, and obituaries.

Alarming as it may sound, identity thefts commonly occur against both the recently and not-so-recently deceased, with bad actors stealing credit card information, filing bogus tax returns and health claims, and engaging in other fraudulent behaviors that result in financial and emotional harm to the families of the deceased.

Fortunately, there are steps both individuals and organizations can take to defend against this most disturbing of crimes.

Seven Steps for Individuals

The IRS lays out four straightforward steps that individuals should take to protect a deceased family member from identity theft:

1. Send the IRS a copy of the death certificate.
2. Send copies of the death certificate to all three credit reporting bureaus, and ask them to put a “deceased alert” on the deceased person’s credit report.
3. Review the deceased’s credit report for questionable activity.
4. Avoid putting personally identifiable information (PII) such as birthday, address, and mother’s maiden name in the obituary.

For added precaution, we have provided additional steps:

1. Notify the Social Security Administration about the death. (In 2014 alone, thieves stole $55 million worth of Social Security benefits from deceased individuals.)
2. Notify all financial institutions, including credit card companies, banks, stockbrokers, mortgage companies, and loan or lien holders.
3. Notify the Department of Motor Vehicles about the death.
4. Remove the deceased person’s name from any joint accounts, if there is a surviving spouse.

Actions for Organizations to Protect Identity

Any organization that has PII or protected health information (PHI) on deceased individuals must recognize the seriousness of this issue and take immediate steps to protect consumers and patients.

First, and most importantly, organizations need to keep up-to-date data, so it is clear if an individual is deceased. If a data breach occurs, that information will be essential in notifying the families of deceased individuals in an appropriate manner. Organizations need to be cognizant of who they are sending their notification letters to and what type of information they include in the letters.

Second, when organizations experience a data breach, it is essential to offer protection services for everyone affected. This should include fully managed identity recovery service for all victims of identity theft, restoring affected individuals to pre-theft status. In case something were to happen to a deceased individuals’ information, organizations need to work closely with family members or legal guardians to restore pre-theft status as quickly and unobtrusively as possible to that individual’s identity.

In providing identity theft recovery services—organizations should pay close attention to the nuances of their communication strategies. For instance, we recommend:

• Letters to the families of deceased individuals should be as sensitive as possible, expressing sympathy and apologizing for causing any additional distress.
• Online resources should lay out, in detail and as simply as possible, the steps families need to take on the deceased’s behalf.
• Call center representatives and resources need to be fully trained on how to respond to questions related to deceased individuals and the sensitive nature involved.

For complex breaches, many organizations turn to outside experts that have extensive experience helping organizations that manage various types of data, such as healthcare, insurance, education, and government. Selecting a breach response partner for help with data breach responses can speed the delivery of identity theft recovery, reduce errors in the execution of breach response, and help restore trust with consumers.