CSO Disclosure Series | User Education: How to Respond to a Data Breach Disclosure

You’ve just received a breach disclosure letter from a company, government agency or financial institution. What now? Should you call the police, or just file away the letter and hope for the best? We’ll guide you through the process, based on advice from Larry Ponemon, founder of the Ponemon Institute, and Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse.

The first step? Take a deep breath, Stephens says. These letters can be startling, but don’t panic—simply take the following steps to protect yourself.

1. Evaluate your risk. First, find out everything you can about what happened. Read the disclosure letter carefully, and do an Internet search for more information. Go to the company’s website to see if they’ve issued a press release. Call the company’s toll-free number if you have any questions. You want to find out two things: First, what information was compromised. The more information that was disclosed, the higher your risk. Second, try to determine whether the information was lost because of negligence or theft. In cases of theft, the chance is higher that the information will be misused.

2. Monitor your accounts. The most typical result of the theft of personal information is credit card fraud, Ponemon says. A thief will use your account for one or two transactions—quite possibly a large one—and then move on to the next victim. Fraud is most likely to occur right after the data is stolen,

so monitor your account vigilantly for three to six months. You may want to have account numbers changed. However, if your data was lost—a tape fell off a truck, or a laptop went missing—this might not be necessary.

3. Take extra steps if your Social Security number has been disclosed. If your Social Security number has been compromised, you’ll need to notify the credit bureaus, put a fraud alert on your records and monitor credit reports to make sure new accounts aren’t being opened in your name. Technically, you need to notify only one credit bureau, which will then share the information with the other two. However, you can contact Equifax (Equifax.com), Experian (Experian.com) and TransUnion (Transunion.com) individually if you want to be sure that they all get the information. If you feel you’re at a particularly high risk, you can also do a security freeze, which is stronger than a fraud alert. It puts a lock on your credit report, making it virtually impossible for anyone (including you!) to obtain new credit in your name.

4. Consider a credit monitoring service. Ponemon and Stephens both stress that credit monitoring services do many things that you could do yourself for free. For instance, thanks to the Fair and Accurate Credit Transactions Act (FACTA), you can get a free copy of your credit report every year from each of the three bureaus—that’s one free credit report every four months. However, if you don’t have the time to monitor your own credit, it might be worthwhile to pay for a credit monitoring service. Find out if the company that sent you the breach notification is willing to pay for this service. Ponemon is suspicious of free credit monitoring services, which may put spyware and adware on to your computer.

5. Decide when to call the cops. If you’re the victim of identity theft and not just credit card fraud, you do want to call the police and file a police report, Stephens says. Keep a copy of the report for your records. Typically, though, you don’t need a lawyer. Ponemon suggests working with the company responsible for the breach before you do anything else. “Call them if there is suspicious activity on your statement,” he says “They need to know, and they probably have a system in place to help. They are motivated to keep you [as a customer], so it’s often to your advantage to contact them,” he says. If you need more assistance, you can also contact your state attorney general or the Federal Trade Commission.

Kathleen Carr is a former editor for CSO.