It seems as though every day, another laptop laden with consumer data goes missing or someone hacks into a company server and accesses customer information.
As of June 15, 2009, the Identity Theft Resource Center has documented some 250 security breaches, a record number of breaches for the first half of the year. In 2008, the ITRC reported a total of 656 breaches, a year-over-year increase of 47 percent.
Unfortunately, many different companies, agencies and other entities handle our personal information, including Social Security numbers, throughout our lifetimes as consumers, and any of those could suffer a breach.
“Our data is in the hands of hundreds of companies by the time we reach our 30s,” says Linda Foley, co-founder of San Diego-based Identity Theft Resource Center, a nonprofit organization. “Think of how many job applications you’ve filled out, how many credit applications, tenancy applications, college applications. All that required your Social Security number somewhere along the line.”
If you’re notified that a breach exposed your personal information, don’t panic. Focus on the type of data lost and how to most appropriately deal with the risk of identity fraud you’re facing, if any.
What kind of data is it anyway?
Not every data breach warrants drastic precautions. It depends on the type of information exposed. For instance, if it’s just your e-mail address, then you might face some serious spam, but no real financial loss.
“However, a majority of the data breaches do involve what we consider to be important information that might potentially expose the individual to identity theft. Those are the ones that consumers really need to be concerned about,” says Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego.
Essentially the breaches that make consumers susceptible to identity fraud include those that divulge either existing account information (debit, credit cards and other financial accounts) or data that could be used to create new accounts in that person’s name.
If the breach only involves debit or credit card information but not your Social Security number, then likely you’re only facing an existing account breach, he says. Existing account breaches are much easier to handle because you can cancel cards, have account numbers changed and monitor periodic statements for fraudulent transactions.
“I’d rather see a breach where a credit card was involved than a Social Security number was involved any day,” says Foley. “I can cancel the credit card. I can’t cancel my Social Security number.”
Just make sure to report affected accounts immediately so you don’t wind up responsible for fraudulent charges or suffer financial losses.
If the lost data involved driver’s license information, notify your state’s department of motor vehicles. Also consider whether your Social Security number was on the card somewhere. If it was, then you need to take certain steps to protect yourself.
Set up a credit freeze or fraud alert. “In most situations, we’re going to recommend as a very first step, a fraud alert,” says Stephens.
You can set up an initial fraud alert by calling one of the three nationwide credit bureaus — Equifax, Experian or TransUnion — who will then set fraud alerts at the other two agencies.
The initial fraud alert, which costs consumers nothing and lasts 90 days, is a notation on the consumer’s credit report informing businesses that check it that the consumer may be a victim of fraud. It asks the creditor to take additional verification steps, such as calling the consumer at a certain phone number, but sometimes, especially in an instant credit situation, the credit issuer may simply deny the applicant credit.
The better level of protection is provided by a security freeze, Stephens says. However, security freezes generally aren’t free unless you can prove that you’re an ID theft victim, and you have to pay a fee every time you remove or reinstate the freeze. The major credit reporting agencies do not share credit freezes, and so you must place one at each bureau.
The credit freeze comes with several pros and cons. It prevents new creditors or service providers from obtaining your credit report or score unless the freeze is lifted in advance. Since creditors will not be able to see the credit report, they are less likely to grant credit to the applicant.
That means you will have to remove the freeze ahead of any situation where a new creditor or business needs to check your credit report or score. So, plan ahead if you have to get a new cell phone or secure a job.
- Keep guard for one year. Because identity thieves don’t always use information they steal during breaches right away, consumers should keep renewing that fraud alert for one year, says Foley. That means that every 90 days you must call and request its renewal.
- Stagger your credit reports. You’ll also want to carefully monitor your credit reports and look for anything unusual, such as accounts you don’t recognize.
That doesn’t mean you have to purchase credit monitoring if the breached entity doesn’t offer it for free. You can keep tabs on your credit report for free with a little effort and a calendar.
The first time you request a fraud alert, you’ll be granted the right to obtain a free credit report from each of the three major credit-reporting agencies as a potential identity theft victim. The letter you receive from the agencies will explain how to obtain it.
After that, Foley suggests staggering your free annual credit reports by ordering a new one from one of the three credit reporting agencies every four months. That way you can “monitor” your credit reports for free all year long.
Make sure you order your free annual credit reports through annualcreditreport.com, the official Web site for ordering a free credit report every 12 months from each of the three nationwide credit bureaus, or by calling (877) 322-8228. Other sites will require you to pay for the reports in some way.
If you don’t receive notification about a breach
Notification letters usually get sent out once the breach hits the media, says Foley. However, if you don’t get one, it doesn’t necessarily mean you weren’t involved. Consumer advocates say no notification could mean a number of things, including that the breached entity is delaying notification pending law enforcement inquiries or an investigation, or that no state security breach notification law requires the company to contact affected individuals.
Then again, just because you shop at a merchant whose credit card database was exposed does not necessarily mean you’re a victim.
If you haven’t been contacted by the breached entity and you’re concerned, you can always call the breached entity’s hot line if one is available and ask if your information was exposed.
You can also contact the attorney general in the state where the breach occurred, since that office likely knows about the breach and might be able to tell you if affected individuals have been notified. To find a state’s attorney general, visit the National Association of Attorneys General’s Web site.
Consumers who want to stay abreast of the latest data breaches can check the frequently updated lists of data breaches available on the Web sites of the Privacy Rights Clearinghouse or the Identity Theft Resource Center.
“The reality is the majority of breach victims will not become identity theft victims,” says Foley, who herself was an identity theft victim once. “If something happens and you end up being part of a breach, there are documented steps you need to take depending upon what information was compromised due to the breach. Take those steps and sit back and relax and continue on and see what happens.”
People who might find credit freezes cumbersome include those who like opening new credit cards frequently, who might not have a day to wait for a credit freeze to “thaw” after requesting its removal.
Also, a freeze only stops identity thieves from opening new accounts in your name — it doesn’t stop them from using your Social Security number to get a job, or committing another crime using your identity, says Foley.
To find out if someone is using your Social Security number to obtain employment, you can order your Social Security Statement, which provides a record of the earnings on which you have paid Social Security taxes and estimates your retirement benefits, online, via snail mail, by calling (800) 772-1213 or by going to your local SSA office. These statements go out automatically to workers age 25 or older, but you can request your statement at any time. Call the fraud hot line at (800) 269-0271 if you find earnings you don’t recognize.