10 ways to protect yourself from data breaches
You can't stop every fraudster, but you can limit exposure, damage
Millions of consumers in the United States have already had their personal information compromised in data breaches. That includes the loss or theft of such sensitive data as credit card and debit card numbers and expiration dates, Social Security numbers and health records. Although word of such massive breaches can leave you feeling helpless, there are many things you can do to protect yourself and prepare for the worst.
Data breaches remain a major threat. The largest-ever data breach took place last year at payment processor Heartland Payment Systems, with information on more than 100 million payment cards stolen using malicious software. According to a chronology of data breaches compiled by nonprofit consumer group Privacy Rights Clearinghouse, more than 250 million records containing sensitive information have been involved in security breaches in the United States since January 2005.
To avoid falling victim to a data breach -- or to defend your already compromised information -- experts urge consumers to take the following steps:
1. Do your homework. You should be able to find out about prior security lapses involving data systems at major banks. Before doing business with a financial institution, go online for information regarding past data breaches."Dig into the company: Look at their website. Look at their press releases. See if they have had any data breaches. Use that to decide if you are going to accept a credit card offer," says Amina Fazlullah, legislative counsel with the U.S. Public Interest Research Group.
But know that just doing your homework won't be enough. For example, it's tough to be aware of existing back-end relationships between companies you do business with and their card processors. Banks share their data with these firms, and a breach at one of these third-party companies, such as the much-publicized one at Heartland Payment Systems, can expose massive amounts of a company's data -- including yours.
2. Prioritize information protection. Some information needs to be more closely guarded. "All security breaches are not alike. There are some that consumers should be very worried about and some that are not a cause for concern," says Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse. Your "Social Security number is really the highest risk, compared to credit card numbers," says Susan Lyon of law firm Perkins Coie in Seattle. Other information, such as health information and date of birth, represents a lower risk, but should still be protected. "People post their date-of-birth information on Facebook, which I don't do," Lyon says.
3. Stick to credit. Because lost credit card information represents a lower risk than the loss of debit card information, some experts encourage consumers to stick to using credit. While many issuers have zero-liability policies to protect consumers from unauthorized charges on either debit or credit cards, it can take more time to recover debit card funds, since they're taken directly from your account. "Your financial institution can investigate for two weeks before you get your funds back," says Stephens. During that time, an empty account can mean bounced checks and overdraft fees. Consumers may be unaware it can take so long to recover their money. "That's a point many people don't understand and why we as an organization encourage people not to use debit cards," he says.
4. Monitor all accounts. If the bank has notified you that one credit card was compromised, for example, experts encourage cardholders to monitor for unusual activity across all their accounts. That's because the threat is not limited to that one point of attack, Fazlullah says. When a hacker has one piece of information, "in all likelihood, they have others," she says. Therefore, consumers need to be vigilant about scanning their entire credit report for strange activity.
5. Continue to monitor. If your personal information is compromised, be vigilant for an extended period following the actual breach. "Data can remain unused and dormant for a time" before the identity thieves actually use it, says David Thompson of law firm McGlinchey Stafford PLLC in Cleveland. If the breach is initiated outside the United States, your information may pass through several hands as it gets sold and then used, he says.
6. Consider your options. Consumers whose data is compromised may be offered their bank's free credit monitoring service, which experts say can be a good option for spotting any follow-up fraud activity. A credit freeze can prevent fraudsters from opening any new accounts in your name. Also, free credit reports are available annually from each of the three major credit bureaus -- Equifax, Experian and TransUnion. Experts advise checking these reports regularly for any unauthorized activity that could indicate identity theft. If you find a debt that isn't yours, be sure to dispute its accuracy with the lender.
7. Take extra care with medical records. While checking credit reports allows consumers to find fraudulent financial activity, medical information is less frequently used by consumers and more difficult to access in a single place. "Different information -- because of the way we use them -- creates more or less scrutiny from consumers," Fazlullah says. But lost medical data is still a cause for concern. "Medical identity theft is the only type of identity theft that can potentially kill you," says Stephens. He warns that if someone piggybacks on your insurance information (and gives their medical information to the doctor or hospital), medical professionals may have the fraudster's blood type and allergies on record instead of yours. However, notification following a breach of medical data is likely to improve. In August 2009, the Federal Trade Commission issued a rule "requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached," according to an FTC press release.
8. Deal with debt collectors. Be prepared for phone calls from debt collectors seeking money for accounts fraudulently opened in your name. If the phone does start ringing, Thompson says learn the identity of both the debt collector and the lender to whom the debt is owed. "In response to that phone call, you have to be attentive and prompt" in proving the debt isn't yours, says Thompson. A debt collection sample letter can help you get started.
9. Contact your state. Forty-six states have passed laws requiring businesses to notify consumers in the event that their sensitive personal data is stolen. (Only Alabama, Kentucky, New Mexico and South Dakota have not passed laws as of June 2010.) Reach out to your state's attorney general for help. Fazlullah notes that states have the best infrastructure for providing residents with redress, either administratively or via the courts.
10. Don't panic, but stay vigilant. Most instances of data breach don't result in identity theft. Even if your personal information is compromised, take heart. "As long as the consumer is paying attention to charges on their [credit card] account, there isn't any liability for the consumer, in terms of real harm," Lyon says. For residents of 46 states with existing notification laws, "If consumers are vigilant, they should be in pretty good shape," Fazlullah says.
- Credit freezes are now free – but do you need one? – Credit freezes, which keep lenders and other companies from viewing your credit, are now free. We compared them to other credit protection tools, including locks and monitoring services. Here's how to use them all to protect yourself ...
- Employer credit checks: Who does them, how they work and what laws apply – If you're applying for a new job, a credit check could determine your fate, depending on the position and where it's based. Here's how they work and what to expect ...
- My card issuer of 25 years suddenly wants to know more about me – Under the Patriot Act, banks are required to verify the identities of their customers and maintain accurate information on them. But my bank's demand to know how I earn my income is an invasion of my privacy ...