Fact Sheet 17b:
How to Deal with a Security Breach


Send to PrinterSend to Printer

Copyright © 2006-2010
Privacy Rights Clearinghouse / UCAN
Posted February 2006
Revised July 2009

  1. Introduction
  2. Figure out what type of breach has occurred
  3. Notify the credit bureaus and establish a fraud alert
  4. Order your credit reports
  5. Examine your credit reports carefully
  6. Continue to monitor your credit reports
  7. Consider a security freeze
  8. Information for businesses
  9. Resources

1. Introduction

Have you received a letter or an e-mail informing you that your personal information may have gotten into the wrong hands?   Or perhaps a media report alerted you to a security breach at a company you do business with.  Here are just a few ways that security breaches occur:

  • Computer files containing university student information, including Social Security numbers (SSNs), are hacked.
  • A bank's computer back-up tape with customer account data has been lost while being shipped to a storage facility.
  • A dishonest healthcare employee has obtained computer files containing patients' records, including SSNs and dates of birth, and may have sold the records to criminals.
  • Imposters have established accounts with a large information broker enabling members of an international crime ring to obtain thousands of comprehensive consumer profiles, including SSNs and dates of birth.
  • A company laptop has been stolen from the back seat of a bank employee's car. It contains account data and SSNs on hundreds of thousands of customers.
  • For more examples of security breaches, read the PRC's chronology of breaches at www.privacyrights.org/ar/ChronDataBreaches.htm.  It includes breaches that involve personal data that could be used to commit identity theft. There are certainly more security breaches than those listed there. We add breaches to the list when we learn of them in news stories and from individuals who have received breach notice letters.

Following California's lead, a majority of the states have laws requiring that individuals be notified when a security breach compromises their personal information. For a list of states with security breach laws, visit www.financialprivacynow.org . If your state does not have security breach notification law, companies would not be required to let you know that you were affected by these incidents.   

If your state does not have a security breach notice law, we encourage you to contact your local legislators to request that they establish a security breach notification law in your state, perhaps based on the model used here in California . The California Office of Information Security and Privacy Protection has information available on its web site, www.oispp.ca.gov/consumer_privacy/pdf/secbreach.pdf.

If you have heard about a security breach at a company with which you do business, but have not yet received a letter from the company, contact its customer service department. You can find the phone number on monthly account statements, on its web site, the phone book, and other common sources.

It is increasingly common for companies, educational institutions, and government agencies -- whether or not their state has a breach notice law -- to notify individuals when computer files containing personal information have been hacked, stolen, or lost. If the file includes Social Security numbers, financial account numbers, driver's license numbers -- in short, data that would be useful to identity thieves -- there are steps you can take to reduce your risk of fraud. So, what should you do  if you suspect that your personal information has been compromised? First, don't panic. A security breach does not necessarily mean that you will become a victim of identity theft.

This guide provides instructions on ways to reduce your risk of identity theft. And if the worst happens and you do become a victim of fraud, this guide points you to other sources of information about identity theft.

2. Figure out what type of breach has occurred.

Has a breach occurred with your existing financial account? Has your Social Security number been compromised, with the chance that new accounts can be established by an imposter? Has your driver's license number or another government-issued ID document been compromised?

  • Existing accounts: If the breach involved your existing credit or debit card account, you will want to monitor your monthly account statements very carefully. Contact the creditor if your statement does not arrive on time. A missing bill could mean that an identity thief has changed your address.

    Check statements for transactions you did not make. Dispute those fraudulent charges directly with the credit or debit card company. The company will likely cancel the account and give you a new card and account number. You will not be responsible for the fraudulent charges if you properly dispute them. It's very important to report the fraudulent transactions immediately.

    In some situations, the financial company will not wait for evidence of fraud. It will instead cancel the existing account and issue a new account number right away.   If the breach involves a debit card, you should immediately request that the card be cancelled.  To understand why debit cards pose such a great risk, see www.privacyrights.org/fs/fs32-paperplastic.htm#2.
  • The potential for new accounts to be opened: If the breach involved disclosure of your Social Security number (SSN), a fraudster could use that information to open new accounts in your name. You will not immediately know of the new accounts because criminals usually use an address other than your own for the account. Since you will not be receiving the monthly account statements, you are likely to be unaware of the account(s).

    That is why it is so important to place a fraud alert on your three credit reports immediately when you learn that your SSN has been compromised, and then to monitor your credit reports on an ongoing basis.

    Other evidence of new account fraud include receiving credit cards in the mail that you did not apply for, being denied credit when you know you've had a good credit score, and being contacted by debt collectors for payments that you do not owe.
  • ID documents: Nearly all the security breaches reported to date have potentially involved financial accounts. But if you are notified of a breach involving your driver's license or another government document, contact the agency that issued the document and find out what it recommends in such situations. You might be instructed to cancel the document and obtain a replacement. Or the agency might instead "flag" your file to prevent an imposter from getting a license in your name.

The remainder of this guide provides instructions on how to establish fraud alerts, place a freeze on your credit reports, and keep track of your credit reports for security breach situations involving your SSN -- in other words, breaches in which there is an opportunity for new accounts to be opened in your name.

3. Notify the credit bureaus and establish a fraud alert. Immediately call the fraud department of one of the three credit reporting agencies -- Experian, Equifax, or TransUnion. When you request a fraud alert from one bureau, it will notify the other two for you. Your credit file will be flagged with a statement that says you may be a victim of fraud and that creditors should take additional steps to verify your identity  before extending credit.

The federal Fair Credit Reporting Act (FCRA) enables you to place an initial fraud alert for only 90 days. You can renew the fraud alerts after 90 days if you wish. You may cancel the fraud alerts at any time.

4. Order your credit reports.

When you establish the fraud alert, you will receive a follow-up letter from each credit bureau. Each letter explains how you can order a free copy of your credit report from that credit bureau. We suggest that you take advantage of this offer and order your credit reports soon. If you are a victim of identity theft, you will see evidence of it on your credit report. Surveys have found that the sooner individuals learn of identity theft, the more quickly they can clean up their credit reports and regain their financial health.

When you order your reports, you may request that only the last four digits of your SSN appear on the credit report.

5. Examine your credit reports carefully.

When you receive your credit reports, look for signs of fraud such as credit accounts that are not yours. Check if there are numerous inquiries on your credit report. If a thief is attempting to open up several accounts, an inquiry will be listed on your credit report for each of those attempts. Usually identity thieves do not succeed in opening all of the accounts that they apply for, only some. So multiple inquiries that you yourself have not generated are a sign of potential fraud. Also, check that your SSN, address(es), phone number(s), and employment information are correct.

If your credit report indicates you are a victim of identity theft, you will want to immediately take steps to remove the fraudulent accounts. Read our Fact Sheet 17a for instructions, www.privacyrights.org/fs/fs17a.htm. Also see the Federal Trade Commission's identity theft web site, www.ftc.gov/idtheft.

Report fraudulent accounts and erroneous information by writing to the credit bureaus and the credit issuers following the instructions provided with the credit reports. The FTC's identity theft guide provides a sample letter to send to the credit bureaus requesting that fraudulent accounts be blocked. www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm (scroll down to find the letter).

In all communications with the credit bureaus, you will want to refer to the unique identification number assigned to your credit report and mail items certified, with return receipt requested. Be sure to save all credit reports as part of your fraud documentation.

6. Continue to monitor your credit reports.

Be aware that these measures may not entirely stop new fraudulent accounts from being opened by an imposter. Credit issuers do not always pay attention to fraud alerts, even though federal law now requires it. Once you have received the first free copy of your credit report, follow up in a few months and order another.

Every consumer, (whether or not a victim of identity theft) can receive one free credit report every 12 months from each of the three national credit bureaus. This is over and above the free credit report that you can request upon establishing a fraud alert. See the Resources at the end of this guide for information on how to order your free report.

In addition, laws in several states give individuals other opportunities to obtain free credit reports . For victims who live in California, you can get one free report each month for the first 12 months upon request. (California Civil Code 1785.15.3) And in seven states, whether a victim or not, you can receive a free credit report each year under state law, over and above the free report you can receive yearly under federal law. These states are: Colorado, Georgia (2 per year), Maine, Maryland, Massachusetts, New Jersey, and Vermont.

7. Consider a security freeze

As of November 2007, the three credit bureaus -- Equifax, Experian, and TransUnion, offer security freezes nationwide. For state-by-state information, visit this Consumers Union web page:  www.financialprivacynow.org.

A security freeze is stronger than a fraud alert because it prevents anyone from accessing your credit file until and unless you authorize the credit bureaus to release your report. (Please note that it does not affect existing accounts). Be aware that this might be inconvenient if you will be applying for new credit, an apartment, or employment involving a background check, since you will have to lift the freeze on your credit file. You can write to request that it be lifted for a certain period of time, or for a specific creditor. The fee to lift the freeze varies between $10-12.

In California and some other states, the security freeze is free to victims of identity theft. Non-victims who wish to use the security freeze must pay a fee -- in most states, $5-10 to activate the freeze for each credit bureau, and $5-10 lift it temporarily, or remove it altogether per bureau.

The California Office of Information Security and Privacy Protection web site provides information on how to establish a security freeze in California: www.oispp.ca.gov/consumer_privacy/consumer/documents/pdf/cis10securityfreeze.pdf.  For other states , see the section “State -by- State Security Freeze Information at www.worldprivacyforum.org/creditfreeze.html#moreaboutsecurityfreezes.

8. Information for Businesses

If you are a business that has experienced a security breach, you can find a list of state security breach laws at www.financialprivacynow.org.

The California Office of Information Security and Privacy Protection has developed a series of recommended practices. If you are a California company (or government agency, nonprofit, or educational institution), review its guide, “Recommended Practices on Notice of Security Breach Involving Personal Information” available at www.oispp.ca.gov/consumer_privacy/pdf/secbreach.pdf.

The steps outlined in this guide are likely applicable in other states as well. If you are located in a state with a security breach notice law, contact your Attorney General's office for guidance on what to do.

There are policies that businesses can adopt to reduce the risk of security breaches.  The California Office of Information Security and Privacy Protection has developed a series of Recommended Practices. Several of the guides may be helpful in protecting your business whether or not you are located in California.

See the PRC's informative guide, “Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace”, www.privacyrights.org/ar/PreventITWorkplace.htm.

Another useful guide is the Better Business Bureau's Security & Privacy Made Simpler: Manageable Guidelines to Help You Protect Your Customers' Security & Privacy from Identity Theft & Fraud, www.bbb.org/securityandprivacy.

9.  Resources

Order your free credit report

Whether or not you are a victim of identity theft, take advantage of your free annual credit reports, now a requirement of federal law. We recommend ordering by telephone, rather than online.

Check your ID Score

  • Track the possible misuse of your identity at the free service My ID Score, www.myidscore.com.

Federal Trade Commission (FTC)

Privacy Rights Clearinghouse (PRC)

Identity Theft Resource Center

California Office of Information Security and Privacy Protection

Tags:
Copyright © Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.