Fact Sheet 17b:
How to Deal with a Security Breach


Send to PrinterSend to Printer
Copyright © 2006-2016
Privacy Rights Clearinghouse
Posted February 2006
Revised February 2016
  1. What is a data or security breach?
  2. State and federal data breach laws
  3. What should you do if your personal information has been compromised?
  4. Breaches involving your credit or debit card information
  5. Breaches involving an existing financial account
  6. Breaches involving your driver's license number or another government-issued ID document
  7. Breaches involving your Social Security number (SSN)
  8. Resources for businesses
  9. Resources for consumers

1. What is a data or security breach?

The terms data breach and security breach are used interchangeably to describe a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.

Examples of different kinds of data breaches include:

  • Hacking
  • Credit or debit cards are skimmed (cloned) at a point-of-sale terminal
  • An employee or contractor with legitimate access to data intentionally breaches information
  • Sensitive documents are lost, discarded or stolen
  • Portable device (such as a laptop, phone, CD, or portable memory device) is lost, discarded or stolen
  • Stationary device (such as a computer or server) is lost, discarded or stolen
  • Sensitive information is posted publicly on a website, mishandled or sent to the wrong party by email, fax or mail

As a consumer, you may receive a letter or an email informing you that your personal information may have gotten into the wrong hands as a result of a data breach.  Perhaps a media report alerted you to a security breach at a company you do business with. Here are just a few examples of data breaches:

  • Computer files containing university student information, including Social Security numbers (SSNs), are hacked.
  • A bank's computer back-up tape with customer account data has been lost while being shipped to a storage facility.
  • A dishonest healthcare employee has obtained computer files containing patients' records, including SSNs and dates of birth, and may have sold the records to criminals.
  • Imposters have established accounts with a large data broker enabling members of an international crime ring to obtain thousands of comprehensive consumer profiles, including SSNs and dates of birth.
  • A company laptop has been stolen from the back seat of a bank employee's car. It contains account data and SSNs on hundreds of thousands of customers.
  • For many more examples see PRC's Chronology of Data Breaches which includes breaches involving personal data that could be used to commit identity theft.

2. State and federal data breach laws

    California was the first state to enact a data breach notice law in 2003. It resulted from a widely publicized breach at the State’s Teale Data Center in April 2002 that leaked the personal information of 265,000 state employees. Because the data elements that had been compromised could lead to financial identity theft if obtained by criminals, the Legislature passed a law in which individuals would be notified so they can take steps to reduce their risk of fraud. The following description of this landmark law is provided by the California Attorney General:

    This law requires a business or a government agency that owns or licenses unencrypted computerized data that includes personal information, as defined, to notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

    The type of information that triggers the notice requirement is 1) an individual's name plus one or more of the following: Social Security number, driver's license or California Identification Card number, financial account numbers, medical information, health insurance, or information collected through an automated license plate recognition system; or 2)user ID and password or other specified credentials permitting access to online accounts.

    The notice must contain specific information, and it must use a title and headings, as specified. Any agency, person, or business that is required to issue a breach notice to more than 500 California residents must electronically submit a single sample copy to the Attorney General.

    The California Attorney General provides information on recommended practices for responding to a data breach under California law. 

    Following California's lead, a majority of the states have enacted laws requiring that individuals be notified when a security breach compromises personal information.

    In addition to the state laws described above, federal law may require notice for certain types of data breaches.

    • Financial institutions subject to the federal Gramm-Leach-Bliley Act (15 U.S.C. §§6801-6810) must adopt procedures to safeguard customer data and notify customers when there has been unauthorized access to customer data if the financial institution determines that customer data has been or is likely to be misused. Guidelines on when customers of a financial institution should be notified about a data breach are published by the FDIC.  
    • Data breaches involving medical information may also prompt notice under federal law and regulations. The Health Information Technology for Clinical Health Act (HITECH), Section 13402, required the Department of Health and Human Services (HHS) to issue rules defining how and when consumers are to be notified of a breach of protected health information. For information on this rule and a list of companies that have reported a data breach, see www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/
    • The Federal Trade Commission (FTC) has adopted data breach rules under the HITECH Act that apply to web-based vendors of electronic personal health information and the vendors’ service providers.  

    3. What should you do if your personal information has been compromised?

    Above all, don't panic. A data breach does not necessarily mean that you will become a victim of identity theft. This guide provides instructions on ways to reduce your risk of identity theft. And if the worst happens and you do become a victim of fraud, this guide points you to other sources of information about identity theft.

    Your first step is to figure out what type of breach has occurred.  That will help you determine the action that you need to take.  The four major types of breaches are:

    • A breach involving your credit or debit card information
    • A breach involving another existing financial account
    • A breach involving your driver's license number or another government-issued ID document
    • A breach involving your Social Security number

    The sections below describe the action that you should take to protect yourself for each of the above fourtypes of breaches.

    4. Breaches involving your credit or debit card information

    Breaches of your credit or debit card information offer occur at retail point-of-sale (POS) terminals.  In the U.S., a customer or a store employee often “swipes” a debit or credit card’s magnetic stripe to pay for purchases.  This system is being phased out in favor of newer technology using cards that contain computer chips.  The chip stores the same information as the magnetic stripe on your card. However, chip cards generate a unique code for each transaction that cannot be reused.

    Because many U.S. retailers continue to use older POS technology, their payment systems are more attractive targets for hackers and are vulnerable to data breaches.  These breaches can be massive in size, sometimes affecting millions of cardholders.  POS systems have been breached at major retailers including Target, Home Depot, Michaels Stores and Neiman Marcus.  PRC’s Chronology of Data Breaches lists these and many other data breaches involving retail POS systems.

    Sometimes, you may become aware of this because your financial institution has reissued your payment card with a new account number.  However, because of the high cost of large scale payment card reissuances, many financial institutions do not automatically reissue cards that may have been compromised. 

    If you become aware (through news media coverage or otherwise) that there has been a payment card breach at a retailer at which you have shopped, what should you do?

    First of all, determine whether you have used a debit or credit card at the merchant. There is far greater risk to you from a compromised debit card.  If your debit card is compromised, funds can quickly be withdrawn from your bank account without your knowledge.  Your bank account can be emptied, resulting in overdrafts, fees, and an inability to obtain cash or pay your bills.  On the other hand, if you used a credit card, you will have an opportunity to dispute any fraudulent transactions before you have to pay the bill, so you will still retain access to the funds in your bank account.  You can learn more about the risks of debit cards by reading PRC’s Fact Sheet 32: Paper or Plastic: What Have You Got to Lose?

    After you determine the type of payment card that you may have used at the breached retailer, here are some steps that you can take to reduce the risk of fraudulent activity:

    • Ask your card issuer to cancel your current card and reissue the card with a new account number.  They are not required to do so, and there may be a charge for the replacement card.  However, this is especially important if you have used a debit card at the breached entity.
    • Carefully monitor all your account transactions online.
    • If your card issuer offers it, set up text or email alerts of any activity. 
    • Make sure that your account statements arrive in your mailbox at their normal time.  Consider setting up access to online statements, with email notification from the card issuer when your statement is ready for viewing.
    • If you become aware of any fraudulent transactions, immediately call your financial institution and follow up by formally disputing the transaction in writing.
    • Be suspicious of any email or phone call that you might receive about the breach that requests personal information.

    Credit and debit card information may also become breached by methods not involving retail point-of-sale (POS) terminals.  However, the steps that you can take to reduce the risk of fraud are the same as those listed above.

    5.  Breaches involving an existing financial account 

    If the breach involves an existing financial account, such as a checking, savings, money market, or brokerage account, here are some steps that you can take to reduce the risk of fraudulent activity:

    • Ask your financial institution to cancel your account and issue a new account number. 
    • Carefully monitor all your account transactions online.
    • If your financial institution offers it, set up text or email alerts of any activity. 
    • Make sure that your account statements arrive in your mailbox at their normal time.  Consider setting up access to online statements, with email notification from the card issuer when your statement is ready for viewing.
    • If you become aware of any fraudulent transactions, immediately call your financial institution and follow up by formally disputing the transaction in writing.
    • Be suspicious of any email or phone call that you might receive about the breach that requests personal information.

    6. Breaches involving your driver's license number or another government-issued ID document

    If you are notified of a breach involving your driver's license or another government document, contact the agency that issued the document and find out what it recommends in such situations. You might be instructed to cancel the document and obtain a replacement. Or the agency might instead "flag" your file to prevent an imposter from getting a license in your name.

    7. Breaches involving your Social Security number (SSN)

    If the breach involved disclosure of your Social Security number (SSN), a fraudster could use that information to open new accounts in your name. This is called "new account fraud". You will not immediately know of the new accounts because criminals usually use an address other than your own for the account. Since you will not be receiving the monthly account statements, you are likely to be unaware that the accounts have been opened in your name.   

    That is why it is so important to immediately place a fraud alert on your  credit reports when you learn that your SSN has been compromised, and then to monitor your credit reports on an ongoing basis. A security freeze provides even more protection than a fraud alert.  In fact, a security freeze can provide the greatest protection from identity theft.

    Here are the steps you should take:

    Notify the credit bureaus and establish a fraud alert

    Immediately contact the fraud department of any one of the three credit reporting agencies -- Experian, Equifax, or TransUnion to request a fraud alert. When you request a fraud alert from one bureau, it will notify the other two for you. Your credit file will be flagged with a statement that says you may be a victim of fraud and that creditors should take additional steps to verify your identity before extending credit.  The federal Fair Credit Reporting Act (FCRA) enables you to place an initial fraud alert for 90 days.  The fraud alert may be renewed on the 91st day for another 90 days. You can continue to renew a fraud alert indefinitely. You may cancel the fraud alerts at any time. 

    If you do become a victim of identity theft, you can obtain an “extended fraud alert” that will be in effect for seven (7) years.

    Members of the military can place an active duty fraud alert on their credit reports for one year if they are away from their usual duty station. 

    Order your credit reports

    When you establish the fraud alert, you will receive a follow-up letter from each credit bureau. Each letter explains how you can order a free copy of your credit report from that credit bureau. We suggest that you take advantage of this offer and order your credit reports soon. If you are a victim of identity theft, you will see evidence of it on your credit report. 

    Examine your credit reports carefully

    When you receive your credit reports, look for signs of fraud such as credit accounts that are not yours. Check if there are numerous inquiries on your credit report. If a thief is attempting to open up several accounts, an inquiry will be listed on your credit report for each of those attempts. Usually identity thieves do not succeed in opening all of the accounts that they apply for, only some. So multiple inquiries that you yourself have not generated are a sign of potential fraud. Also, check that your SSN, address(es), phone number(s), and employment information are correct.

    If your credit report indicates you are a victim of identity theft, you will want to immediately take steps to remove the fraudulent accounts. Read our Fact Sheet 17a: Identity Theft: What to Do if It Happens to You for instructions.  Also see the Federal Trade Commission's identity theft web site.

    Continue to monitor your credit reports

    Be aware that these measures may not entirely stop new fraudulent accounts from being opened by an imposter. Credit issuers do not always pay attention to fraud alerts, even though federal law now requires it. Once you have received the first free copy of your credit report, follow up in a few months and order another.

    Every consumer (whether or not a victim of identity theft) can receive one free credit report every 12 months from each of the three national credit bureaus. This is over and above the free credit report that you can request upon establishing a fraud alert.

    In addition, laws in several states give individuals other opportunities to obtain free credit reports. For victims who live in California, you can get one free report each month for the first 12 months upon request. (California Civil Code 1785.15.3) And in seven states, whether a victim or not, you can receive a free credit report each year under state law, over and above the free report you can receive yearly under federal law. These states are: Colorado, Georgia (2 per year), Maine, Maryland, Massachusetts, New Jersey, and Vermont.   

    Consider a security freeze

    A security freeze provides the greatest protection from identity theft.  It is stronger than a fraud alert because it prevents anyone from accessing your credit file until and unless you authorize the credit bureaus to release your report. (Note that it does not affect existing accounts). Be aware that this might be inconvenient if you will be applying for new credit, renting an apartment, or seeking employment involving a background check, since you will have to lift the freeze on your credit file for these situations. Generally, you can request that it be lifted for a certain period of time, or for a specific creditor.

    There may be a small fee to place and/or lift the security freeze. In California and in many other states, the security freeze is free to victims of identity theft. Non-victims who wish to place a security freeze may need to pay a fee, depending upon your state of residence.  If there is a fee, it is typically $5-10 to activate the freeze for each credit bureau, and $5-10 lift the freeze per credit bureau.

    The three credit bureaus -- Equifax, Experian, and TransUnion -- offer security freezes nationwide:

    Brian Krebs' post How I Learned to Stop Worrying and Embrace the Security Freeze is a primer on what you can do to avoid becoming a victim of identity theft.  The California Department of Justice’s Privacy Enforcement and Protection Unit web site provides information on how to establish a security freeze in California. 

    8. Resources for Businesses

    If you are a business that has experienced a security breach, you can learn about security breach notification laws:

    The California Department of Justice’s Privacy Enforcement and Protection Unit has developed a series of recommended practices. If you are a California company (or state government agency, nonprofit, or educational institution), review its guide, Recommended Practices on Notice of Security Breach Involving Personal Information.

    See also:

     The Federal Trade Commission (FTC) offers a Data Security page.

    9.  Resources for Consumers

    Federal Trade Commission (FTC)

    Identity Theft Resource Center

    California Department of Justice’s Privacy Enforcement and Protection Unit

    Privacy Rights Clearinghouse           

     U.S. PIRG

    Content type: 
    Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.