What to Do When You Get a Data Breach Letter

Thursday, July 07, 2011

Kelly Colgan


Article by Eduard Goodman 

A day doesn’t go by when we read news of a data breach at a major company, healthcare facility or financial institution. The breaches at Epsilon, Sony and now brokerage Morgan Stanley Smith Barney, are a good example.

We asked Eduard Goodman, Identity Theft 911 chief privacy officer and an expert on international privacy and data protection law, what to do when a data breach notification letter lands in your mailbox.

imageHis short answer: Don’t panic. Just pay attention.

Q: My bank just sent me a notice saying my personal data may have been compromised. Now what?

Whether the trouble starts with a pilfered laptop or an insidious cyberattack, a breach of personal electronic data triggers mandatory notification laws in 46 states* as well as Washington D.C., Puerto Rico, and the U.S. Virgin Islands.

If you haven’t received such a notice already, chances are, you will. Since the first of the year, the nonprofit Identity Theft Resource Center has tracked 226 incidents exposing more than 11.9 million records nationwide.

Does this mean I’m now an identity theft victim?

No. It means something’s happened that could put you at risk. We don’t have good statistics on how many breaches actually turn into fraud because it’s difficult to pinpoint when, how, and where information might have been compromised. Thieves can “bank” stolen data for years before using it.

Faced with a breach notice, most people do one of two things—both wrong. They ignore it and throw it away or they freak out and start closing accounts. Do this instead:

  • Read the notice carefully to learn what information may have been exposed and how. (Keep the notice in case you ever need to prove that your data was compromised through no fault of your own.)
  • If you’re offered a year of free credit monitoring, take it.
  • Pay extra attention to your account and billing statements. Check for charges that aren’t yours.
  • After about 30 days (long enough for fraudulent activity to show up), log on to annualcreditreport.com to get a free copy of your credit report from each of the three major credit bureaus. Look for any unusual activity.

Are some breaches worse than others?

Intent is key. In many cases, a thief who breaks into a car to steal a laptop just wants to make a quick buck by selling the laptop. On the other hand, hacking incidents show real intent to profit off personal data.

The kind of information matters, too. If it’s debit or credit card numbers only, there’s a good chance someone will try to use them. On the upside, exposure is limited and, if your bank thinks the risk is high, it will automatically reissue new cards (effectively shutting down the identity thief).

Degree of risk gets stickier when data like Social Security numbers, birth dates, and addresses is stolen. It has a long shelf life and can be traded internationally among organized criminals. It’s valuable because, unlike a single credit card number, it can spawn dozens of new accounts.

While it’s less likely to be used than a single stolen credit card number (which requires much less time and work), potential damage to your good name is greater.

What should I do going forward?

Keep up your good data-management habits—shred sensitive documents before throwing them away, use a locking mailbox, and take advantage of the Do Not Call and Do Not Mail registries. Review your free credit reports every year.

And, if you do spot something amiss, call your insurance company or bank to see if you qualify for Identity Theft 911 services. We’ll help you assess your risk and, if warranted, take steps to make you less vulnerable.

*Currently, Alabama, Kentucky, New Mexico, and South Dakota do not require businesses to notify customers of data breaches.

image Eduard Goodman, Chief Privacy Officer, Identity Theft 911 An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.
Possibly Related Articles:
Information Security
breaches Identity Theft Privacy Identity Management Personally Identifiable Information Consumers
Post Rating I Like this!
Rod MacPherson Freaking out and closing accounts willynilly is the wrong approach, but closing an account that is likely to be compromised is not.

An example of when I think it was appropriate was during the Sony breach, (the PSN one) I immediately identified what credit card I had given to Sony (which was not so easy as Sony wasn't being very cooperative), then started monitoring that account. When I was certain that the details that Sony had were still valid and could be used for a transaction I asked for a new card number to be assigned.

In reality, the account, with all of it's history was held open, but assigned a new card number, expiry and CVV2. All transactions on the old number were stopped.

You have to know that you don't have any pre-authorized payments or convenience cheques waiting to be processed on the card number you are about to kill, or be prepared for possible fees as consequence of "closing" the account before the payments have gone through. But 10 minutes on the phone with the credit card company and about a week of waiting for a new card and pin to arrive can save a lot of sleepless nights.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.