Cis 17 Breach Help

Download as pdf or txt
Download as pdf or txt
You are on page 1of 4

Breach Help

Consumer Tips from the


California Attorney General
Consumer Information Sheet 17 • October 2014

You get a letter from a company, a government agency, a university, a hospital or other organiza-
tion. The letter says your personal information may have been involved in a data breach. Or maybe
you learn about a breach from a news report or company web site. Either way, a breach notice
does not mean that you are a victim of identity theft or other harm, but you could be at risk.

The breach notice should tell you what specific types of personal information were involved. It may
also tell you what the organization is doing in response. There are steps you can take to protect
yourself. What to do depends on the type of personal information involved in the breach.

Note that credit monitoring, which is often offered by breached companies, alerts you after some-
one has applied for or opened new credit in your name. Credit monitoring can be helpful in the
case of a Social Security number breach. It does not alert you to fraudulent activity on your existing
credit or debit card account.

Credit or Debit Card Number transactions on your credit card statement,


The breach notice should tell you when and and deduct them from the total due. Your
where the breach occurred. If you used your liability for fraudulent transactions is limited
credit or debit card at the location during the to $50 when you report them, and most
given time, you can take steps to protect your- banks have a zero-liability policy.1
self.
3. If you do cancel your credit card, remember
Credit Card to contact any companies to which you
1. Monitor your credit card account for suspi- make automatic payments on the card. Give
cious transactions and report any to the them your new account number if you
card-issuing bank (or American Express or wish to transfer the payments.
Discover). Ask the bank for online monitor-
ing and alerts on the card account. This will Debit Card
give you early warning of any fraudulent 1. Monitor your debit card account for suspi-
transactions. cious transactions and report any to the card
issuer. Ask the bank for online monitoring and
2. Consider cancelling your credit card if you alerts on the card account. This will give you
see fraudulent transactions on it following early warning of any fraudulent transactions.
the breach. You can dispute fraudulent

Office of the Attorney General P rivacy E nforcement and Protection Unit


California Department of Justice www.oag.ca.gov/privacy
2. Report any unauthorized transactions to alerts the merchant to take steps to verify the
your bank immediately to avoid liability. identity of the applicant. A fraud alert lasts 90
Your liability for fraudulent transactions is days and can be renewed. For information on
limited to $50 if you report them within two a stronger protection, a security freeze, see
days. Your bank may have a zero liability How to Freeze Your Credit Files at
policy. But as time passes, your liability in- www.oag.ca.gov/privacy/info-sheets.
creases, up to the full amount of the trans-
action if you fail to report it within 60 days 3. Review your credit reports. Look through
of its appearance on your bank statement.2 each one carefully. Look for accounts you
don’t recognize, especially accounts opened
3. Consider cancelling your debit card. The recently. Look in the inquiries section for
card is connected to your bank account. names of creditors from whom you haven’t
Cancelling it is the safest way to protect requested credit. Some companies bill
yourself from the possibility of a stolen under names other than their store names.
account number being used to withdraw The credit bureau will be able to tell you
money from your bank account. Even when that is the case. You may find some
though it would likely be restored, you inquiries identified as “promotional.” These
would not have access to the stolen money occur when a company has obtained your
until after your bank has completed an name and address from a credit bureau to
investigation. send you an offer of credit. Promotional
inquiries are not signs of fraud. (You are
Social Security Number automatically removed from lists to re-
Here’s what to do if the breach notice letter ceive unsolicited offers of this kind when
says your Social Security number was involved. you place a fraud alert.) Also, as a general
precaution, look in the personal information
1. Contact the three credit bureaus. You can re- section for any address listed for you where
port the potential identity theft to all three of you’ve never lived.
the major credit bureaus by calling any one
of the toll-free fraud numbers below. You 4. If you find items you don’t understand on
will reach an automated telephone system your report, call the credit bureau at the
that allows you to flag your file with a fraud number on the report. Credit bureau staff
alert at all three bureaus. You will also be sent will review your report with you. If the
instructions on how to get a free copy of your information can’t be explained, then you
report from each of the credit bureaus. will need to contact the creditors involved
Experian 1-888-397-3742 and report the crime to your local police or
Equifax 1-800-525-6285 sheriff’s office.
TransUnion 1-800-680-7289
Password and User ID
2. What it means to put a fraud alert on your In the case of an online account password
credit file. A fraud alert helps protect you breach, you may receive a notice by email or
against the possibility of an identity thief open- when you go to the log-on page for your ac-
ing new credit accounts in your name. When a count. Here are steps to take if you learn that
merchant checks the credit history of someone your password and user ID or email address, or
applying for credit, the merchant gets a notice perhaps your security question and answer, were
that there may be fraud on the account. This compromised.

Office of the Attorney General P rivacy E nforcement and Protection Unit


California Department of Justice www.oag.ca.gov/privacy
1. Change your password for the affected 1. Call the bank, tell them about the breach
account. If you find that you are locked out and tell them you want to close your ac-
of your account, contact the company’s count. Find out what checks are outstand-
customer service or security department. ing. You may want to wait until they have
cleared before closing the account. (Or
2. If you use the same password for other ac- you could write to each recipient, tell them
counts, change them too. about the breach, ask them not to process
the old check and enclose a new check on
3. If a security question and answer was in- your new account.)
volved, change it. Don’t use questions based
on information that is publicly available, such 2. Open a new bank account. Tell the bank
as your mother’s maiden name, your pet’s you want to use a new password for ac-
name or the name of your high school. cess to your new account. Do not use your
mother’s maiden name or the last four digits
4. Use different passwords for your online of your Social Security number. Ask your
accounts. This is especially important for bank to notify the check verification compa-
accounts that contain sensitive information, ny it uses that the old account was closed.
such as your medical or financial informa-
tion. Consider accounts at online merchants Driver’s License Number
where you may have your credit card number If the breach notice says your driver’s license
stored in the account. or California identification card number was
involved, and you suspect that you are a victim
5. Create strong passwords. Longer is better— of identity theft, contact DMV’s Driver License
at least ten characters long and a mix of Fraud and Analysis Unit (DLFAU) by telephone
uppercase and lowercase letters, numerals, at 1 866-658-5758 or by email at dlfraud@dmv.
punctuation marks, and symbols. Don’t use ca.gov. Do not include personal information on
words found in a dictionary. You can base your e-mail.
passwords on a phrase, song or book title.
Example: “I love tropical sunsets” becomes Medical or Health Insurance
1luvtrop1calSuns3ts! Information
If the breach notice says your health insurance
6. A password manager or password “safe” can
or health plan number was involved, here’s
help you create and manage many strong
what you can do to protect yourself against
passwords. These software programs can
possible medical identity theft. A breach that
run on your computer, your phone and other
involves other medical information, but not
portable devices. You only have to remem-
your insurance or plan number, does not gener-
ber one password (or passphrase) to open
ally pose a risk of medical identity theft.
the safe. The Electronic Frontier Foundation
(www.eff.org) lists some free versions and 1. If the letter says your Social Security number
computer magazines offer product reviews. was involved, see section on Social Security
number breaches. Also contact your insurer
Bank Information or health plan, as in number 2 below.
If the breach notice says your checking account
number, on a check for example, was breached, 2. If the letter says your health insurance or
here’s what to do. health plan number was involved, contact

Office of the Attorney General P rivacy E nforcement and Protection Unit


California Department of Justice www.oag.ca.gov/privacy
your insurer or plan. Tell them about the up on it with your insurer or plan. For more
breach and ask them to note the breach in on medical identity theft, see First Aid for
their records and to flag your account number. Medical Identity Theft: Tips for Consumers,
at www.oag.ca.gov/privacy/info-sheets.
3. Closely watch the Explanation of Benefits
statements for any questionable items. An For more details on what to do if you suspect
Explanation of Benefits statement comes in that your information is being used to commit
the mail, often marked “This is not a bill.” identity theft, see the Identity Theft Victim
It lists the medical services received by you Checklist at www.oag.ca.gov/idtheft/
or anyone covered by your plan. If you see information-sheets.
a service that you did not receive, follow

This fact sheet is for informational purposes and should not be construed as legal advice or as
policy of the State of California. If you want advice on a particular case, you should consult an
attorney or other expert. The fact sheet may be copied, if (1) the meaning of the copied text is
not changed or misrepresented, (2) credit is given to the California Department of Justice, and
(3) all copies are distributed free of charge.

NOTES
1
Truth in Lending Act, 14 U.S. Code sec. 1601 and following.
2
Electronic Funds Transfer Act, 15 U.S. Code sec. 1693 and following.

Office of the Attorney General P rivacy E nforcement and Protection Unit


California Department of Justice www.oag.ca.gov/privacy

You might also like