What consumers should know about data breach notification

November 2, 2011 by kbarney

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

It can be unnerving to be told that your information has been compromised in a data breach.  The uncertainty of not knowing all the details and the anxiety over what information has been exposed is deeply troubling to many consumers.  A breach notice makes us aware of a new risk to our lives that we can’t measure easily.

Often times, there is a lot of speculation surrounding the company’s timing of the breach notification.  The timing of notification may depend upon a variety of state laws, some of which may delay notification if law enforcement is doing an investigation of the incident and has requested a delay to make the investigation easier.  In most breach cases, the company will want to investigate internally prior to making public notice.  It is important to the consumer and the company that they provide a notice which is accurate.  No one is happy when a notice is made public, and then has to be changed as further information comes to light.  Everyone is better served when the company gets the information right the first time.

It is also important to understand the complexities which may surround various types of data breaches. Not all breaches are equal in the amount of risk posed to the consumer.  For instance, some pieces of information about you are generally available and public, and pose little risk to you taken alone, such as your email address, or first and last name.  Credit card numbers that are exposed are a risk, but not a long term problem, as the issuer will provide a new card with a different account number very quickly.

Additionally, malicious attacks on a company’s server, insider (employee) theft, or the theft of mobile devices (i.e. storage devices, laptops) may be more likely to lead to identity theft than accidental posting on a long-ago cached website or papers left behind in an old abandoned building.  Knowing whether or not the breach incident was malicious or accidental in nature may help you to put the level of risk into a better perspective.

Just remember, unless you know otherwise, the fact that your data was compromised does NOT mean you are an identity theft victim.  In fact, there have been millions of people notified that their information may have been breached who have not become identity theft victims. Your response to the breach will depend on the type of information that was compromised.  Here are some steps you can take at this time:

Financial Account Numbers:

This includes checking accounts, credit cards, money market funds, stocks, and bank accounts:

  • Close ONLY the affected accounts and have account numbers changed.
  • Password-protect all your accounts, the new ones as well as the closed.  This restricts thieves from re-opening closed accounts.
  • Monitor your account and billing statements closely
  • Report any fraudulent activity immediately to the bank and law enforcement.

Social Security Numbers:
Call the credit reporting agencies.  These are automated and secure systems.   Place a fraud alert with each agency and request a free copy of each of your credit reports.  It is free because your information was breached and you are a potential victim of identity theft.  Do this for any person whose Social Security Number (SSN) was compromised. If the SSN belongs to a child, you should find that there is no credit report available for that child.  If there is a credit report for a child, it indicates that the child’s information may have been used. In that case, you need to get a copy of the credit report in order to repair the incorrect items.

It is also recommended that you call all three credit reporting agencies and not just one.  Check your report carefully for any irregularities.  Sometimes people see errors on the report that were on the report before the data breach occurred.

You can use, without charge, the annual credit reports system www.annualcreditreport.com to monitor your credit report over the next year. Stagger them throughout the year by ordering one every four months.

Or, if you want real-time updates on your credit report, you may want to consider a paid service which monitors your credit report and alerts you immediately upon any change.


  • If your auto or medical insurance policy information is involved, ask the company about their policy to protect compromised policies.
  • If it is HR data that was compromised, change account numbers for your 401-K, life insurance, and accounts holding your stock options.  Password-protect these accounts.
  • Driver’s License’s – contact your state Department/Bureau of Motor Vehicles and notify them of the theft.  They most likely will not change your number.