Dear Liz: Last week I received my annual mortgage interest report. The envelope was not sealed and my full Social Security number was exposed. Two days later, I received an e-mail from PayPal for a purchase made online in my name with a different address. What do I need to do to protect myself from identity theft and are there any penalties my mortgage company could face?
Answer: The penalties for exposing your information depend on your state’s laws. You can contact your state attorney general’s office for more information.
At the very least, consider reporting the issue to the mortgage company and demanding that your Social Security number be redacted in future mailings. Better yet, see if you can go paperless and download your tax documents, a process that is typically more secure than having your private financial information sent through the mail.
It’s entirely possible the fraudulent purchase was unrelated to your mortgage company’s sloppy practices, but you should still take steps to reduce your odds of being victimized again. Obviously, you need to change your PayPal password but you should also make sure all your accounts — especially your financial and email accounts — have unique, complex passwords. A password manager such as LastPass or 1Password can help you keep track.
Good computer hygiene also can help reduce your risk. That means turning on your computer’s firewall, using a secure browser and keeping that browser up to date. Update and frequently run antivirus software as well.
Another important step in reducing identity theft risk is freezing your credit reports at all three major bureaus: Equifax, Experian and TransUnion. This should prevent someone from opening a new fraudulent credit account in your name but won’t prevent account takeovers, such as what may have happened with your PayPal account.
Detect account problems as quickly as possible by regularly reviewing bank, payment and credit card transactions. Consider putting alerts on your accounts for foreign transactions or transactions over a certain size or signing up with a credit- or identity-monitoring service.
A gray area in required distributions
Dear Liz: I’ve reached that “certain age” when I should be taking required minimum distributions from my retirement accounts. I retired from full-time work at age 65 but continued doing small jobs at an hourly rate for that same employer. I set my own hours and earn just a couple thousand bucks a year. The company that holds my retirement funds says I don’t have to take the required minimum distribution because I never retired. I don’t want to be penalized for failing to take the RMD, and I can’t believe I get to delay taking the funds. Have I found a little-known loophole?
Answer: You’ve found a definite gray area.
People who are still working for the employer who provides their 401(k) may be exempted from the required minimum withdrawals that are otherwise supposed to start at age 72. The exemption does not apply to IRAs or retirement plans from previous employers. The exemption also doesn’t apply if you own more than 5% of the company, and not all 401(k) plans offer a “still working” exemption.
The IRS hasn’t offered a lot of guidance about the still-working exemption. For example, there doesn’t seem to be a clear minimum number of hours that an individual must work, said Mark Luscombe, principal analyst for Wolters Kluwer Tax & Accounting.
Luscombe says the exemption may depend in part on the minimum number of hours required to participate in the plan. Even then, though, it’s not clear that an employee could reduce the number of hours working from a full-time level to a part-time level and still qualify for the still-working exception, he said.
“This could be a discrimination issue if higher-paid employees were allowed to reduce their hours and lower-paid employees were not,” Luscombe notes.
The company might need a written rule that all employees are allowed to reduce their hours at a certain age, Luscombe said.
If a particular plan permits part-time employees working at least 500 hours per year to qualify for its 401(k) plan, for example, then perhaps working at least 500 hours per year meets the still-working standard for that plan.
You’ll want to get some clarity about this, because the penalty for not taking required minimum distributions on time is high — it’s 50% of the amount you should have taken but didn’t. If the plan doesn’t have clear rules, ask your company to create some to guide you and others in your situation.
Liz Weston, Certified Financial Planner, is a personal finance columnist for NerdWallet. Questions may be sent to her at 3940 Laurel Canyon, No. 238, Studio City, CA 91604, or by using the “Contact” form at asklizweston.com.