What to Do After a Data Breach

Given that the Identity Theft Resource Center (ITRC) reports there have been 932 breaches thus far in 2018, it now seems much more likely that a person may become a victim of a data breach. Although data breaches have become increasingly common, it can be difficult to determine exactly how worried you should be if you learn you're a data breach victim.

Consider these questions if your personal information has been involved in a data breach to determine how to help protect yourself from the likelihood of future identity fraud, without inviting undue strain into your financial life.
 

1. How were you impacted?

A data breach may include an incident that involves the exposure of a person's name plus his or her Social Security number, driver's license number, medical record, or financial records — or it can involve the compromise of information that's easily changed (such as passwords or card account numbers).

Although the Federal Trade Commission (FTC) reports that most states, Puerto Rico, and the Virgin Islands have laws that require organizations that suffer a breach to notify impacted parties when personal information is compromised, different notification laws apply at the federal and state level. For example, the ITRC explains that breaches that contain the exposure of user names, emails, and passwords — but not sensitive personally identifiable information — may not require notification of any kind.

If you suspect you were part of a breach, or you know you were because you received a notification, confirm what information was compromised so you can take appropriate and immediate action:

• If the breach involved a username or password that can be easily changed, you may need only to update your account credentials to prevent further fraud.
• If a breach resulted in the compromise of a Social Security number, your date of birth, or your mother's maiden name, you may want to consider additional protections to help ensure thieves cannot open new accounts in your name.

   

2. Should you initiate a credit freeze or fraud alert?

Data breach victims may opt to initiate a credit freeze upon learning their sensitive information has been compromised, yet it's important to understand what a credit freeze can and cannot accomplish before assuming it's the best form of protection.

A credit freeze essentially requires that you authorize any potential creditor or lender to view your credit report before they are able to do so; a thief will not be able to open an account in your name without your knowledge. Unfortunately, a credit freeze does nothing to prevent fraudulent activity on existing, active accounts.

According to the most recent data compiled by the Bureau of Justice Statistics, identity thieves are far more likely to use an existing account than they are to open a new account. (This is why taking advantage of free alerts offered by your bank or credit card issuer can be  so important.) Plus, if you intend to apply for a new loan, mortgage, or credit card in the near future, a credit freeze can add a bit more time and hassle to the process.
 

"The Identity Theft Resource Center (ITRC) reports there have been 932 data breaches thus far in 2018¹."

If your goal is simply to monitor existing account activity after a breach, Consumer Reports says fraud alerts could provide the information you need. The fraud alert will monitor activity on your credit report, and notify potential creditors or lenders that you have been a victim of identity theft if they pursue an inquiry into your credit report to process a new account application. Ideally, the alert will prompt them to contact you and confirm the application is legitimate — but they are not required to do so.

Once you initiate a fraud alert with one credit bureau, it will extend to the other major credit bureaus as well, and will last 90 days. Identity theft victims may have the option to continually extend the protection for up to seven years. Each time the alert is renewed, you'll receive free copies of your credit report, which can help you remain aware of the detailed activity in it.
 

3. Would a paid identity monitoring service have prevented you from being a breach victim?

Finding out your sensitive information has been compromised can make you feel vulnerable — and violated. It can also make you wonder whether you could have prevented the event from occurring entirely, if only you'd invested in one of the many identity theft protection services you've seen advertised.

USA Today reports that there's no use blaming yourself for steps not taken. It explains that although most identity theft protection services include credit monitoring to make you aware of a possible fraud issue quickly, having such a service won't prevent you from becoming the victim of a data breach.
 

4. Should you file a police report?

Filing a police report can give identity theft victims formal documentation to reduce the likelihood they're held accountable for criminal acts identity thieves commit, like violating traffic laws, writing bad checks, or insurance fraud, but the FTC says most data breach victims need not report the incident to the police.
 

5. Can you change your Social Security number?

Given that at least some data breach incidents involve Social Security numbers, it might seem logical to request that the Social Security Administration issue all breach victims a new identifier.

Although the Social Security Administration may consider a request for a new Social Security number in cases where an identity theft victim is continually disadvantaged by the fraudulent use of a stolen number — or when a person has religious or cultural objections to the digits in a number, or is a victim of domestic violence — a data breach typically isn't enough to substantiate the assignment of a new number.

Until that changes, your best course of defense after a data breach is a good offense. Leverage tools like fraud alerts or credit freezes to proactively protect your credit, ensure you have real-time access to activity on all your financial accounts so you can detect suspicious activity quickly, and use strong passwords and two-step verification to help ensure your identity remains as secure as possible.

1.Data Breach Reports PDF opens in new window 2018 Breaches Identified by the ITRC as of: 10/3/2018

Stephanie Taylor Christiansen is a former financial services marketer turned freelance writer with more than a decade of experience writing about personal finance and business topics for financial institutions, private firms, and the national media.

For Compliance Use Only:1010889-00002-00