What to expect, what to do after a card data breach
Data hackers have been busy, doing what they do best: breaching databases and making a mess you'll have to clean up.
the summer of 2012, Barnes & Noble, the South Carolina Department of Revenue and
GoTickets.com are just a few of the organizations reporting that data hackers have caused data breaches, potentially
putting customers' debit or credit card information at risk, and opening
them up to the risk of full-fledged identity theft.
far this year, the Privacy Rights Clearinghouse has received reports of more
than 200 data breaches involving payment card fraud or hacking, exposing more
than 12 million consumer records.
In some instances, the hackers seemed most
interested in the thrill of hacking into a system and exposing its
vulnerabilities, but in more worrisome cases, Social Security numbers and
debit and credit card information were exposed.
paying attention to the news lately regularly sees reports of major data
breaches," says John Breyault, vice president of public policy,
telecommunications and fraud at the National Consumers League.
If your information was stolen, "your vulnerability varies based on how
severe the data breach was," Breyault says.
While there's little a consumer can do before a data breach, here's what you can expect if one happens, and the steps you can take to minimize the hassle and maximize your protection.
How you'll find out
The first and most crucial step is to notice that a breach has happened and assess your risk. That's not always easy. No federal law requires you be notified of security
breaches involving your personal information.
National Conference of State Legislatures reports 46 states have laws requiring data breach notification, but if you're in Alabama, Kentucky, New Mexico or South Dakota,
there are no such guarantees.
notification laws tend to follow a similar pattern, says Sam Imandoust, legal
analyst for the Identity Theft Resource Center. If a certain number of people
have been impacted by a data breach, the law will require the company or
organization to send a letter to everyone who may have been impacted.
most cases, the letter doesn't need to go out within a set time frame, but as
"expediently as possible," Imandoust says. Delays are allowed if law
enforcement officials are investigating the breach, and public notification might
impact their investigation.
letters typically will contain information on the type of personal information
thought to be part of the breach, a description of what occurred, when it
occurred, and contact information for credit bureaus, Imandoust says. Because it's left to the companies to craft the language, in practice, some letters are more forthcoming and clear than others.
your bank knows
Surprisingly, if you've been notified of a credit or debit card data
breach, it doesn't mean your bank has been.
company that suffered the breach may not be the bank itself, but some third party with its hands in the transaction process. The company that suffered the breach must notify the consumer, as well as bank card
associations -- such as Visa and MasterCard -- which then notify their member
banks, says Tom Shaw, vice president of financial crimes management at USAA.
cases such as the Barnes & Noble data breach, in which credit and debit
card information was stolen from PIN pad devices at 63 stores, the incident was
kept from the public while the FBI conducted an investigation. USAA knew about
the case before the victims did.
there's always a chance something can fall between the cracks. Once you learn
you've been the victim of a data breach, Katie Ross, education and development
manager for American Consumer Credit Counseling (ACCC), recommends contacting your
bank or credit card company directly to report the breach and make sure there's
been no suspicious activity on your account.
What happens next
data breach doesn't necessarily mean your financial institution will issue you
a new credit or debit card, USAA's Shaw says.
issuer will look at the type of information that bad guys have in their hands, how often fraud has occurred with other cards that have been part of the
same data breach, and then calculate the chances your card could be
compromised, he says.
some instances, "rather than having the customer go through the pain of getting
a new card and setting up new recurring payments, we'll monitor it," Shaw says.
But if you report fraudulent activity on your account, it will immediately be
there hasn't been fraud, but USAA thinks it might occur, USAA will issue you a
new card but your current card will remain active for the short term.
Wells Fargo, the bank will telephone you if there's a chance your current card
is at risk for unauthorized transactions, says spokeswoman Natalie Brown.
the call, the Wells Fargo representative will tell you a new card is en route
and when your existing card will be deactivated, Brown says. The time frame for
deactivation can vary from case to case.
When the new card arrives
you receive a new card, you should follow the steps the bank requires to
activate it. Usually that involves calling a toll-free number from your home
phone or activating it online.
just want your credit card number. They are agnostic as to whose name
is embedded in the magnetic stripe.
|-- Tom Shaw
Vice president, financial crimes management, USAA
some banks may allow you to make small purchases without activating your card, others,
such as USAA, say it's not possible to use one of their cards unless it's been
you've activated your new card, be sure to contact all the companies that
automatically bill to your credit card, like your cellphone
company, Internet service provider and utility company, and give them your new
card number, Wells Fargo's Brown says. Otherwise you run the risk of your transactions not
your new card, you also might want to set up a "verbal" password on your card to
help verify your identity, says Ross of the ACCC. A verbal password is one that must be spoken before you or anyone else can access your banking information by phone.
you need to make sure you destroy your old card properly. Taking a pair of
scissors to your credit card won't do the trick. Ross, who conducts identity
theft prevention classes, says it's crucial to use a cross-cut shredder.
Otherwise your trash can provide a bonanza for Dumpster divers.
What defenses do you need
work still isn't done. Contact one the three main credit bureaus -- Experian,
Equifax and TransUnion -- and have an initial fraud alert placed on your credit
report. The bureau you contact is required to notify the other two.
fraud alert will remain on your reports for 90 days, and you're entitled to one
free credit report from each agency. Check them diligently for errors, Breyault
many cases, having your credit or debit card information stolen won't develop
into a full-fledged identity theft case, Shaw says. In these cases, the thieves simply want to run up as many purchases as they can.
just want your credit card number," he says. "They are agnostic as to whose name
is embedded in the magnetic stripe."
be safe, place a security freeze on your credit report, locking out anyone who
tries to get new credit in your name. The only ones who can view your report
are lenders with whom you do business, Breyault says. You can opt to have the
freeze lifted temporarily or permanently.
safeguard is to sign up for free alerts if there is suspicious activity on your
debit or credit card, he says.
you've been the victim of a data breach, the organization that has been hit is
likely to offer you free credit monitoring service for a set period of time,
Breyault says. Once that period expires, you'll have to pay for the service.
frowns on paying for a third party to monitor your credit report. "They're
often incomplete and have a lag time in data. They're not the same ones the
lenders see. It's really not worth the money to get them."
he recommends, "be aggressive in getting your credit reports and checking them
repeatedly for errors."
See related: How to safely, securely destroy a credit card: 6 tips
, Steps to protect yourself from data breaches
Published: November 30, 2012
Three most recent Legal, regulatory, privacy issues stories: