Fact Sheet 17b:
How to Deal with a Security Breach
Send to Printer
Privacy Rights Clearinghouse
- Figure out what type of breach has occurred
- What to do if you are a victim of a breach involving your SSN
- Notify the credit bureaus and establish a fraud alert
- Order your credit reports
- Examine your credit reports carefully
- Continue to monitor your credit reports
- Consider a security freeze
- Information for businesses
Have you received a letter or an e-mail informing you that your personal information may have gotten into the wrong hands? Or perhaps a media report alerted you to a security breach at a company you do business with. Here are just a few ways that security breaches occur:
- Computer files containing university student information, including Social Security numbers (SSNs), are hacked.
- A bank's computer back-up tape with customer account data has been lost while being shipped to a storage facility.
- A dishonest healthcare employee has obtained computer files containing patients' records, including SSNs and dates of birth, and may have sold the records to criminals.
- Imposters have established accounts with a large information broker enabling members of an international crime ring to obtain thousands of comprehensive consumer profiles, including SSNs and dates of birth.
- A company laptop has been stolen from the back seat of a bank employee's car. It contains account data and SSNs on hundreds of thousands of customers.
- For more examples of security breaches, read the PRC's chronology of breaches at www.privacyrights.org/ar/ChronDataBreaches.htm. The Chronology includes breaches involving personal data that could be used to commit identity theft – from 2005 to date. We realize that this listing is by no means complete. There are certainly more security breaches than those listed there. We add breaches to the list when we learn of them in news stories and from individuals who have received breach notice letters.
California was the first state to enact a security breach notice law in 2003. It resulted from a widely publicized breach at the State’s Teale Data Center in April 2002 that leaked the personal information of 265,000 state employees. Because the data elements that had been compromised could lead to financial identity theft if obtained by criminals, the Legislature passed a law in which individuals would be notified so they can take steps to reduce their risk of fraud. The following description of this landmark law is provided by the California Office of Privacy Protection, www.privacy.ca.gov/privacy_laws/index.shtml:
A business or a State agency that maintains unencrypted computerized data that includes personal information, as defined, [shall] notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The type of information that triggers the notice requirement is an individual's name plus one or more of the following:
Social Security number, driver's license or California Identification Card number, financial account numbers, medical information or health insurance information.
The law has since been amended to require that the notice include specific information, and that entities required to issue a breach notice to more than 500 California residents must electronically submit a single sample copy to the Attorney General. https://oag.ca.gov/ecrime/databreach/reporting
The California Attorney General provides information on recommended practices for responding to a security breach under California law. http://www.oag.ca.gov/sites/all/files/pdfs/privacy/recom_breach_prac.pdf?
Following California's lead, a majority of the states have enacted laws requiring that individuals be notified when a security breach compromises personal information.
- The National Conference of State Legislatures provides a list of these state laws: www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx
- The law firm of Baker Hostetler offers a more comprehensive analysis of state security breach notification laws at http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/State_Data_Breach_Statute_Form.pdf. It also has an analysis of key issues in these laws at http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf
- Another useful resource is Intersections Data Breach Consumer Notification Guide, at http://www.intersections.com/library/IntersectionsBreachConsumerNotificationGuideFinal_April2013.pdf
In addition to state laws, federal law may prompt notice of a data breach. Financial institutions subject to the federal Gramm-Leach-Bliley Act (or GLB), 15 U.S.C. §§6801-6810, must adopt procedures to safeguard customer data. As part of a security plan, financial companies should notify customers when there has been unauthorized access to customer data if, after an investigation, the financial institution determines that customer data has been or is likely to be misused.
on when customers of a financial institution should be notified about a data
breach were published jointly by the federal banking agencies. To read these
guidelines, go to www.fdic.gov/news/news/financial/2005/fil2705.html
Data breaches involving medical information may now also prompt notice under federal law and regulations. The Health Information Technology for Clinical Health Act (HITECH), Section 13402, requires the Department of Health and Human Services (HHS) to issue rules defining how and when consumers are to be notified of a breach of protected health information. In some cases, notice is required to consumers and HHS. Media notice is also required for some breach incidents, and incidents involving more than 500 individuals are posted by the HHS.
more information on the HHS data breach rule as well as a list of companies
that have reported a data breach, see: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
The HITECH Act also requires the Federal Trade Commission (FTC) to adopt data breach rules that apply to web-based vendors of electronic personal health information as well as the vendors’ service providers. To read the FTC’s breach notification rule, go to: http://www.ftc.gov/opa/2009/08/hbn.shtm
For more on the HHS and FTC rules on data breaches adopted under the HITECH Act, see PRC Fact Sheet 8a, Part 12: www.privacyrights.org/fs/fs8a-hipaa.htm#12 .
has become a “best practice” for companies, educational institutions, and
government agencies to notify their customers and employees whether or not the
breach they’ve experienced requires that they provide notice to their customers
and/or employees. For example, have been several high-profile breaches
in which customers’ names and email addresses were compromised. While the data elements exposed in these
breaches would not likely lead to financial identity theft if obtained by
criminals, the affected companies nonetheless notified their customers
So, what should you do if your personal information has been compromised? Above all, don't panic. A security breach does not necessarily mean that you will become a victim of identity theft. This guide provides instructions on ways to reduce your risk of identity theft. And if the worst happens and you do become a victim of fraud, this guide points you to other sources of information about identity theft.
Has a breach occurred with your existing financial account? Has your Social Security number been compromised, with the chance that new accounts can be established by an imposter? Has your driver's license number or another government-issued ID document been compromised?
If the breach involved your existing
bank, credit or debit card account, you will want to monitor your monthly
account statements very carefully. Better yet, take advantage of online
access to your account information so you don’t have to wait for the
monthly statement to come in the mail. Some financial institutions allow you to set up email or text message alerts for certain tranactions. Contact the creditor if your
statement does not arrive on time. A missing bill could mean that an
identity thief has stolen your mail or changed your address.
Check statements for transactions you did not make. Dispute those fraudulent charges in writing with your financial institution. They will likely cancel your account and give you a new card and account number. You will not be responsible for the fraudulent charges if you properly dispute them. It's very important to report the fraudulent transactions immediately.
In some situations, the financial company will not wait for evidence of fraud. It may cancel the existing account and issue a new account number right away. If the breach involves a debit card, you should immediately request that the card be cancelled. To understand why debit cards pose such a great risk, see www.privacyrights.org/fs/fs32-paperplastic.htm#2 .
potential for new accounts to be opened: If the breach involved
disclosure of your Social Security number (SSN), a fraudster could use
that information to open new accounts in your name. You will not
immediately know of the new accounts because criminals usually use an
address other than your own for the account. Since you will not be
receiving the monthly account statements, you are likely to be unaware of
That is why it is so important to place a fraud alert on your three credit reports immediately when you learn that your SSN has been compromised, and then to monitor your credit reports on an ongoing basis. A security freeze provides even more protection than a fraud alert. In fact, a security freeze can provide the greatest protection from identity theft.
Other evidence of new account fraud includes receiving credit cards in the mail that you did not apply for, being denied credit when you know you've had a good credit score, and being contacted by debt collectors for payments that you do not owe.
- ID documents: Nearly all the security breaches reported to date have potentially involved financial accounts. But if you are notified of a breach involving your driver's license or another government document, contact the agency that issued the document and find out what it recommends in such situations. You might be instructed to cancel the document and obtain a replacement. Or the agency might instead "flag" your file to prevent an imposter from getting a license in your name.
The remainder of this guide provides instructions on how to establish fraud alerts, place a freeze on your credit reports, and keep track of your credit reports for security breach situations involving your Social Security Number -- in other words, those breaches which may create an opportunity for a criminal to open new accounts using your name and SSN.
Immediately call the fraud department of one of the three credit reporting agencies -- Experian, Equifax, or TransUnion. When you request a fraud alert from one bureau, it will notify the other two for you. Your credit file will be flagged with a statement that says you may be a victim of fraud and that creditors should take additional steps to verify your identity before extending credit.
fraud department: (888) 766-0008
fraud department: (888) EXPERIAN (888-397-3742)
- Trans Union
fraud department: (800) 680-7289
federal Fair Credit Reporting Act (FCRA) enables you to place an initial fraud
alert for 90 days. You may cancel the fraud alerts at any time.
If you do become a victim of identity theft, you can obtain an “extended fraud alert” that will be in effect for seven (7) years.
- Equifax extended fraud alert: https://www.alerts.equifax.com/AutoFraud_Online/pdf/Fraud_Alert_7.pdf
- Experian extended fraud alert: https://www.experian.com/consumer/cac/PrepopulatedForm.do?PrePopulatedForm.No=1017&type=victim
- TransUnion extended fraud alert: https://fraud.transunion.com/pdf/ExtendedAlertForm.pdf
Members of the military can place an active duty fraud alert on their credit reports for one year if they are away from their usual duty station. The Federal Trade Commission explains this type of fraud alert here, http://www.consumer.ftc.gov/articles/0273-active-duty-alerts.
When you establish the fraud alert, you will receive a follow-up letter from each credit bureau. Each letter explains how you can order a free copy of your credit report from that credit bureau. We suggest that you take advantage of this offer and order your credit reports soon. If you are a victim of identity theft, you will see evidence of it on your credit report. Surveys have found that the sooner individuals learn of identity theft, the more quickly they can clean up their credit reports and regain their financial health.
you order your reports, you may request that only the last four digits of your
SSN appear on the credit report. When you order a credit report after establishing
a fraud alert, your ability to also order free credit reports through the
federally mandated website or toll-free phone number will not be affected. (Official
websites: http://www.consumer.ftc.gov/articles/0155-free-credit-reports and www.annualcreditreport.com)
Do not be fooled by so-called “free” credit report sites that claim to offer reports at no cost. For trustworthy information, visit the Federal Trade Commission site referenced in the previous paragraph, as well as the official website for the credit bureaus, www.annualcreditreport.com.
6. Examine your credit reports carefully
When you receive your credit reports, look for signs of fraud such as credit accounts that are not yours. Check if there are numerous inquiries on your credit report. If a thief is attempting to open up several accounts, an inquiry will be listed on your credit report for each of those attempts. Usually identity thieves do not succeed in opening all of the accounts that they apply for, only some. So multiple inquiries that you yourself have not generated are a sign of potential fraud. Also, check that your SSN, address(es), phone number(s), and employment information are correct.
If your credit report indicates you are a victim of identity theft, you will want to immediately take steps to remove the fraudulent accounts. Read our Fact Sheet 17a for instructions, “Identity Theft: What to Do if It Happens to You,” www.privacyrights.org/fs/fs17a.htm . Also see the Federal Trade Commission's identity theft web site, http://www.consumer.ftc.gov/features/feature-0014-identity-theft .
Report fraudulent accounts and erroneous information by writing to the credit bureaus and the credit issuers following the instructions provided with the credit reports. The FTC's identity theft guide provides a sample letter to send to the credit bureaus requesting that fraudulent accounts be blocked. www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm (scroll down to find the letter).
In all communications with the credit bureaus, you will want to refer to the unique identification number assigned to your credit report and mail items certified, with return receipt requested. Be sure to save all credit reports as part of your fraud documentation.
aware that these measures may not entirely stop new fraudulent accounts from
being opened by an imposter. Credit issuers do not always pay
attention to fraud alerts, even though federal law now requires it. Once you
have received the first free copy of your credit report, follow up in a few
months and order another.
Every consumer (whether or not a victim of identity theft) can receive one free credit report every 12 months from each of the three national credit bureaus. This is over and above the free credit report that you can request upon establishing a fraud alert. See the Resources at the end of this guide for information on how to order your free report.
In addition, laws in several states give individuals other opportunities to obtain free credit reports. For victims who live in California, you can get one free report each month for the first 12 months upon request. (California Civil Code 1785.15.3) And in seven states, whether a victim or not, you can receive a free credit report each year under state law, over and above the free report you can receive yearly under federal law. These states are: Colorado, Georgia (2 per year), Maine, Maryland, Massachusetts, New Jersey, and Vermont. To read more: http://money.msn.com/credit-rating/get-extra-credit-reports-for-free.aspx
A security freeze provides the greatest protection from identity theft. It is stronger than a fraud alert because it prevents anyone from accessing your credit file until and unless you authorize the credit bureaus to release your report. (Note that it does not affect existing accounts). Be aware that this might be inconvenient if you will be applying for new credit, renting an apartment, or seeking employment involving a background check, since you will have to lift the freeze on your credit file for these situations. Generally, you can request that it be lifted for a certain period of time, or for a specific creditor.
There may be a small fee to place and/or lift the
security freeze. In
California and in many other states, the security freeze is free to victims of
identity theft. Non-victims who wish to place a security freeze may need to pay a fee, depending upon your state of residence. If there is a fee, it is typically $5-10 to activate the freeze for each credit bureau, and
$5-10 lift the freeze per credit bureau.
The three credit bureaus -- Equifax, Experian, and TransUnion -- offer security freezes nationwide.
- Equifax: https://help.equifax.com/app/answers/detail/a_id/159/noIntercept/1/session/L3RpbWUvMTMzMjIxMjE5NS9zaWQvczJRVk93VGs%3D
- Experian: http://www.experian.com/consumer/security_freeze.html
- TransUnion: www.transunion.com/personal-credit/credit-disputes/credit-freezes.page
The California Department of Justice’s Privacy Enforcement and Protection Unit web site provides information on how to establish a security freeze in California: http://www.oag.ca.gov/idtheft/facts/freeze-your-credit. For other states, see http://www.consumer-action.org/english/articles/freeze_your_credit_file#Topic_04
If you are a business that has experienced a security breach, you can find a list of state security breach notification laws on the website of the National Conference of State Legislatures: www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx. The law firm of Baker Hostetler offers a more comprehensive analysis of state security breach notification laws at http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/State_Data_Breach_Statute_Form.pdf. It also has an analysis of key issues in these laws at http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf.
The California Department of Justice’s Privacy Enforcement and Protection Unit has developed a series of recommended practices. If you are a California company (or state government agency, nonprofit, or educational institution), review its guide, “Recommended Practices on Notice of Security Breach Involving Personal Information” available at http://www.oag.ca.gov/sites/all/files/pdfs/privacy/recom_breach_prac.pdf? . See also:
- A California Business Privacy Handbook, http://www.oag.ca.gov/sites/all/files/pdfs/privacy/business_privacy_handbook.pdf?
- Recommended Practices for Protecting the Confidentiality of Social Security Numbers, http://www.oag.ca.gov/sites/all/files/pdfs/privacy/protecting_ssns.pdf?
The International Association of Privacy Professionals' Newsletter, The Privacy Advisor has published an article entitled "How To Prepare for, Respond to and Manage Breaches" (February 24, 2013) available at https://www.privacyassociation.org/publications/2013_03_01_how_to_prepare_for_respond_to_and_manage_breaches.
resources are provided by the following agencies, companies and organizations:
Privacy Rights Clearinghouse
- Chronology of Data Breaches Summary of reported breaches, 2005 to present: www.privacyrights.org/data-breach
- FAQ with additional resources Studies & analyses of data breaches: www.privacyrights.org/data-breach-FAQ#12
- Links to compilations of state laws on data breach notice requirements: www.privacyrights.org/data-breach-FAQ#10
- “Prevent Identity Theft with Responsible Information-Handling Practices in the Workplace,” www.privacyrights.org/ar/PreventITWorkplace.htm .
Data Breach Consumer Notification Guide (April 2013) http://www.intersections.com/library/IntersectionsBreachConsumerNotificationGuideFinal_April2013.pdf
Better Business Bureau
Security & Privacy Made Simpler: Manageable Guidelines to Help You Protect Your Customers' Security & Privacy from Identity Theft & Fraud, www.bbb.org/us/corporate-engagement/security/ .
Federal Trade Commission (FTC)
FTC Bureau of Consumer Protection Business Center’s webpage on “Data Security”: http://business.ftc.gov/privacy-and-security/data-security
Open Security Foundation
This all-volunteer organization provides a free list-serve of data breaches. Its website offers a wealth of information and statistics on data breaches worldwide: www.datalossdb.org/
Payment Card Industry (PCI) Security Standards Council
- Guidance paper on EMV and PCI Data Security Standard - https://www.pcisecuritystandards.org/documents/pci_dss_emv.pdf
- PCI E-commerce guidelines - https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_eCommerce_Guidelines.pdf
- PCI storage do’s and don’ts fact sheet - https://www.pcisecuritystandards.org/documents/PCI%20Data%20Storage%20Dos%20and%20Donts.pdf
- ATM security guidelines - https://www.pcisecuritystandards.org/pdfs/PCI_ATM_Security_Guidelines_Info_Supplement.pdf
- Small Merchant website with videos - https://www.pcisecuritystandards.org/smb/
- Mobile payment acceptance security fact sheet - https://www.pcisecuritystandards.org/documents/accepting_mobile_payments_with_a_smartphone_or_tablet.pdf
Order your free credit report. Whether or not you are a victim of identity theft, take advantage of your free annual credit reports. The official website and toll-free number are listed here. We recommend ordering by telephone, rather than online to avoid look-alike sites that are meant to trick you into ultimately paying for your reports.
- Phone: (877) 322-8228
- Web: www.annualcreditreport.com
Check your ID Score
- Track the possible misuse of your identity at the free service My ID Score, www.myidscore.com.
Federal Trade Commission (FTC)
- Identity Theft Hotline: (877) IDTHEFT (877-438-4338)
- Read the FTC's extensive guide, Taking Charge: What to Do if Your Identity Is Stolen, www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm
- Online information and complaint form: http://www.consumer.ftc.gov/features/feature-0014-identity-theft
- FTC uniform fraud affidavit form: www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf
- The FTC’s
guide on obtaining your free credit reports,
- FTC's guide
on disputing credit report errors,
Identity Theft Resource Center
- Web: www.idtheftcenter.org
- Fact Sheets, Solutions and Form Letters for victims: http://www.idtheftcenter.org/Help-for-Victims/document-catalogue.html
- E-mail: email@example.com
- Phone: (888) 400-5530.
- Write: P.O. Box 26833, San Diego, CA 92196
California Department of Justice’s Privacy Enforcement and Protection Unit
- ID theft guides: http://www.oag.ca.gov/idtheft/information-sheets
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.