One hundred million — that’s a pretty big number. It’s roughly three times the population of Canada, about a third of the U.S. population, and roughly equal to the population of Mexico.
It’s also the number of notifications that have gone out to individuals in the United States informing them that their personal information has been lost or stolen by companies. Upwards of 100 million “records” have been disclosed to date and reported upon pursuant to state disclosure notification laws, according to the Privacy Rights Clearinghouse.
Of course, it’s difficult to say with precision just how many individuals have been notified in this way, because companies only provide the government with the total number of accounts affected without providing any additional data. In other words, some individuals may have been impacted multiple times regarding different incidents, and would therefore show up on the list twice — or more.
No matter how you slice it, those notified of a breach involving their data are no longer in an exclusive club, as the number of individuals is getting larger every day as more states adopt breach disclosure legislation.
Looking ahead, it won’t be long before the majority of Americans will have been notified about a breach affecting their data. Given that this is such a strongly growing trend, it’s useful to take a few moments to look at the options for how to respond before something happens, rather than scrambling around in the heat of the moment. Here are some tips in case this happens to you.
Step 1: Remain Calm – Put It Into Context
So, you’ve been notified that your information may have been compromised. Now what do you do?
The natural tendency when people are informed that their personal information has been lost or stolen is for them to immediately panic and assume that means they’ll automatically become victims of identity theft or some other type of fraud.
However, in reality, that’s a relatively unlikely outcome. Consider, for example, the case of a lost or stolen laptop containing a database that includes your account information.
A tremendous number of laptops are stolen every day — some estimates say as many as 1,000 per day — and only a very small percentage of those stolen laptops lead to any kind of notification. After all, it’s much more likely that the laptop was stolen so the thief could play “World of Warcraft,” download music files, or use it for some other purpose not involving identity theft.
If a backup tape was “lost” in transit, it’s more likely that it was misdelivered, accidentally destroyed or misfiled than deliberately stolen.
Also, consider the fact that not every loss of data leads to notification. Granted, it’s required by law, but a company has to know that a breach occurred before it can tell you about it. Realistically, just because you receive a notification about a possible breach, the likelihood that you will become a victim of identity theft probably increases only minimally, if at all, in the majority of cases.
So don’t panic — you’re not guaranteed to be hit by fraudsters. Don’t be cavalier either — it’s always better to be safe than sorry.
Step 2: Weigh Your Options
The next course of action is to determine what data was lost, how it was lost, and what your next course of action will be. The type of data involved will probably dictate your next move.
In the case of financial data — for example, credit card numbers or bank account information, you will want to monitor the account in question to make sure that no purchases are made using the lost information. If your bank account is impacted, pay careful attention to the withdrawals you make from the account; if there’s an attached debit card, pay attention to how that card is used. If the lost data involves a credit card, carefully monitor the statements until you are sure that the card is not being used fraudulently.
If you’re not in the habit of reading your monthly credit card statements, this would be a good time to start. A red flag should go up if you miss a statement or if you receive a change-of-address notification from the bank.
However, believe it or not, loss of financial account information is probably easier to monitor for fraud than a loss involving some other types of information. For example, personal information that could be used to open a line of credit — such as a Social Security number — is particularly difficult to observe.
In the case of credit card numbers, bank account information and so on, you receive a regular statement that you can review, and you’re also generally not liable for fraudulent transactions on these accounts.
Nevertheless, if you lose data — like your Social Security number — which would allow a fraudster to create a new account, it’s harder to recover. Most individuals don’t monitor their credit report, for example, so it could take months before they find out that these new accounts are being opened. Don’t forget that it can take some time for a new account to appear on your credit report.
It’s also difficult for you to take preemptive action to safeguard your credit profile, because while you can preemptively cancel a credit card with a minimum amount of hassle, dealing with new lines of credit opened in your name can be stressful and time-consuming.
Step 3: Be Alert
From a preventive standpoint, consider initiating a fraud alert with the credit agencies. This will require that institutions call you to verify information before opening a new account in your name.
Approach this option with caution, however. While a fraud alert is a great safeguard and can go a long way toward helping you maintain peace of mind, it can carry an inconvenience factor as well.
For example, don’t try to open a cell phone account in a mall kiosk or walk into a dealership expecting to drive off the lot on the same day with your new car. Remember, if you’re not at home to verify, any account that impacts your credit report requires your manual verification.
Ed Moyle is currently a manager withCTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner ofSecurity Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit, and secure solutions development.