Copyright © 2006-2008. |
Search Our Site: |
|
|
| Security Breaches: This FAQ is an addendum to our Fact Sheet 17(b) on security breaches. It provides answers to questions we are often asked by individuals who contact us by phone and e-mail.
1. I recently learned that a company I do business with has experienced a security breach. How can I find out if my information was lost or stolen? If your state does not have security breach notification law, companies would not be required to let you know that you were affected by these incidents. Nonetheless, it appears that these days most companies that have experienced security breaches involving sensitive personal information are notifying the affected individuals. For a list of states with security breach laws, visit www.consumersunion.org/campaigns/Breach_laws_May05.pdf and www.pirg.org/consumer/credit/statelaws.htm. If you have not yet received a letter from the company, contact its customer service department. You can find the phone number on monthly account statements, on its web site, the phone book, and other common sources. If your state does not have a security breach notice law, we encourage you to contact your local legislators to request that they establish a security breach notification law in your state, perhaps based on the model used here in California . The California Office of Information Security and Privacy Protection has information available on its web site, www.oispp.ca.gov/consumer_privacy/pdf/secbreach.pdf . Please read our entire Fact Sheet 17(b) on how to deal with security breaches, www.privacyrights.org/fs/fs17b-SecurityBreach.htm . 2. It seems like there is a security breach every day. How many people have been affected? The PRC is keeping a running list of the numerous data breaches that have been reported, beginning with the ChoicePoint incident in February 2005. We limit the list to only those breaches that involve personal data that could be used to commit identity theft ñ such as Social Security numbers (SSNs) and financial account numbers. Link to our chronology of security breaches here, www.privacyrights.org/ar/ChronDataBreaches.htm. Our list is not comprehensive however. There are certainly more security breaches than those listed here. We add breaches to the list when we learn of them in news stories and from individuals who have received breach notice letters. Click on the link for our chronology of breaches above and scroll to the very end to learn the latest tally of the number of individuals affected by security breaches involving their sensitive personal information. The list includes the number of consumers affected. For more information, go to www.privacyrights.org/ar/ChronDataBreaches.htm Another good resource for information about security breaches is the web site of Attrition.org. Its list includes links to news articles about the breaches, www.attrition.org/dataloss . You can sign up for its list-serve if you want to be kept up to date on the latest breaches, www.attrition.org/security/dataloss.html . 3. I work for a business that has experienced a security breach. I know some states have a law that requires me to notify people who were affected by this breach. What is the process for notification? For a list of states with security breach notification laws, visit www.consumersunion.org/campaigns/Breach_laws_May05.pdf. Remember, notice is likely to apply only if the breach involves the kind of sensitive personal information that could be used by an identity thief to commit fraud ñ in other words, Social Security numbers and financial account numbers. The California Office of Information Security and Privacy Protection has developed a series of recommended practices. If you are a California company (or government agency, nonprofit, or educational institution) review its guide, ìRecommended Practices on Notice of Security Breach Involving Personal Information,î available at www.oispp.ca.gov/consumer_privacy/pdf/secbreach.pdf. The steps outlined in this guide are likely applicable in other states as well. If you are located in a state with a security breach notice law, contact your Attorney General's office for guidance on what to do. 4. As a business what policies can I institute to reduce the risk of a security breach? The California Office of Privacy Protection has developed a series of Recommended Practices. Several of the guides may be helpful in protecting your business whether or not you are located in California.
See the PRC's informative guide, ìPrevent Identity Theft with Responsible Information-Handling Practices in the Workplace,î www.privacyrights.org/ar/PreventITWorkplace.htm. Another useful guide is the Better Business Bureau's Security & Privacy Made Simpler: Manageable Guidelines to Help You Protect Your Customers' Security & Privacy from Identity Theft & Fraud, www.bbb.org/securityandprivacy.
|
| Copyright © 2006-2008. Privacy Rights Clearinghouse/UCAN. For distribution of this fact sheet, see our copyright and reprint guidelines. The PRC does not allow any of its documents to be posted on other web sites. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This fact sheet should be used as an information source and not as legal advice. PRC fact sheets contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our fact sheets are applicable to consumers nationwide. Privacy Rights Clearinghouse, 3100 - 5th Ave., Suite B, San Diego, CA 92103. Web: www.privacyrights.org |
