286,000.
That's how many New York State residents, in September 2009, received a letter from a company or a New York State agency notifying them that their personal information may have been acquired by an unauthorized person in a data security breach. Depending on how these letters are written, they can reassure New Yorkers that appropriate steps are being taken, or they can raise concerns and cause confusion. The New York State Department of State Division of Consumer Protection urges all New Yorkers who receive a notice to read it carefully, direct any questions to the organization that sent the notice, and then take appropriate action to help protect your personal information from identity theft. To assist you in reviewing your breach notification letter, the Division offers the following answers to your most urgent questions:
- Why am I getting this letter?
New York State law1requires that State residents be notified when computerized data including personal information such as an individual’s name in combination with another sensitive element (such as a Social Security number, a driver’s license number, or a bank or credit card number with a password or access code) was or is reasonably believed to have been acquired by an unauthorized person. The law does not apply to non-computerized data such as paper records.
You should get a breach notification letter when a company or State agency (“the breaching organization”) determines with absolute or reasonable certainty that a breach has occurred involving the computerized personal information identified above. Some organizations may also notify you, as a precautionary measure, when they are unable to account for lost data and they cannot rule out the possibility that the loss may have been due to a breach.
- Will notification always come in the form of a letter?
In most cases, the notification of a data breach will be provided by the breaching organization in the form of a letter to affected individuals at their most recent street address in the organization’s file. However, under New York State law, if you have previously provided the organization with an alternative means of contact such as a telephone number or e-mail, the organization may notify you by the alternative means. For breaches affecting more than 500,000 New Yorkers or where the cost of individual notification would total more than $250,000, the breaching organization may substitute notice through its website and statewide media for individual written notification. While virtually all notifications to date have been by letter, it is possible that you may not get the written notice due to a change in your address. You also may not receive a call or an e-mail due to changes in your phone or e-mail contact information, and, in the case of the major breach events described earlier in this paragraph, you may miss the news story or the website notice.
To assist consumers who want to keep up on all the latest data security breaches affecting New York residents, the Division provides an updated list of reported breaches along with information on protecting your personal information which is discussed in detail below. Please visit the Division’s “Security Breach Alerts” section further details. If you are a subscriber to New York Alerts, you can choose to receive updates on the latest data security breach alerts, as well the latest scam and recall alerts, through Twitter, e-mail and text-to-voice for the visually challenged. Visit the "Sign Up for NY-Alerts" section at http://www.nyalert.gov for further details.
- What should the letter tell me about the breach?
Under New York State law, the breach notification letter must include contact information for the person or business making the notification and a description of the categories of information that are reasonably believed to have been acquired by a person without valid authorization, including the specific elements of information that are reasonably believed to have been acquired. Thus, the only information that a breaching organization is required to provide in the letter is a description of what personal information was or may have been acquired (e.g., your name and your Social Security number) and the contact information of a representative or agent to answer your questions. Though New York State law does not mandate specific types of contact information (e.g., name, title, mailing address, e-mail address, toll-free telephone number), you should reasonably expect to be provided with the name and telephone number of a representative or agent. If the letter does not provide this information, you should contact the Division’s Consumer Assistance Unit at 1-800-697-1220 for help. Once you have obtained a contact at the notifying organization for questions from the public, the Division advises you to make a list of all the questions you want answered and call the contact person for the organization’s response.
As a customer or constituent of the breaching organization, you have the right to expect more in the breach notification letter than the minimum legal requirements. You should expect an explanation of what the breaching organization reasonably believes happened to your personal information, and what the organization is doing to prevent a recurrence of the same type of incident. You also have the right to know whether the breaching organization has reported the incident to the three major credit reporting agencies (Equifax, Experian, TransUnion). Under New York State law, organizations are required to notify the credit reporting agencies for breaches that affect more than five thousand (5,000) consumers. Your own communications with the credit reporting agencies (discussed below) will go more smoothly if the agencies have previously received notice of the breach from the breaching organization that sent you the letter.
- What should the letter tell me about protecting my personal information?
Ideally, the breaching organization should advise that your personal information may be at risk for identity theft and provide you with a list of steps to take to help protect your personal information2. These include placing a fraud alert or security freeze on your credit reports, reviewing copies of your credit reports and following up with the police and credit reporting agencies if you discover fraud.
The organization's breach notification letter should say something like the following:
A - Fraud Alert or Security FreezeTo protect yourself from the possibility of identity theft, we recommend that you immediately place a fraud alert on your credit files. A fraud alert conveys a special message to anyone requesting your credit report that you suspect you were a victim of fraud. When you or someone else attempts to open a credit account in your name, the lender should take measures to verify that you have authorized the request. A fraud alert should not stop you from using your existing credit cards or other accounts, but it may slow down your ability to get new credit. An initial fraud alert is valid for ninety (90) days. To place a fraud alert on your credit reports, contact one of the three major credit reporting agencies at the appropriate number listed below or via their website. One agency will notify the other two on your behalf. You will then receive letters from the agencies with instructions on how to obtain a free copy of your credit report from each.
B - Reviewing Your Credit Reports
Equifax (888)766-0008 or www.fraudalert.equifax.com
Experian (888) 397-3742 or www.experian.com
TransUnion (800) 680-7289 or www.transunion.com
New York residents can also consider placing a Security Freeze on their credit reports. A Security Freeze prevents most potential creditors from viewing your credit reports and therefore further restricts the opening of unauthorized accounts. For more information on placing a security freeze on your credit reports, please go to the New York State Department of State Division of Consumer Protection website.When you receive a credit report from each reporting agency, review the reports carefully. Look for accounts you did not open, inquiries from creditors that you did not initiate, and confirm that your personal information, such as home address and Social Security number, is accurate. If you see anything you do not understand or recognize, call the credit reporting agency at the telephone number on the report. You should also call your local police department and file a report of identity theft. Get and keep a copy of the free police report because you may need to give copies to creditors to clear up your records or to access transaction records. Even if you do not find signs of fraud on your credit reports, we recommend that you remain vigilant in reviewing your credit reports from the three major credit reporting agencies. You may obtain a free copy of your credit report once every 12 months by visiting www.annualcreditreport.com, calling toll-free 877-322-8228 or by completing an Annual Credit Request Form at www.ftc.gov/bcp/menus/consumer/credit/rights.shtm and mailing to Annual Credit Report Request Service, P.O. Box 1025281. For more information on identity theft, you can visit the following websites:
New York State Department of State Division of Consumer Protection at: http://www.consumer.state.ny.us/protecting/identity_theft/
New York State Attorney General at: www.oag.state.ny.us/bureaus/consumer_frauds/identity_theft.html
Federal Trade Commission at: www.ftc.gov/bcp/edu/microsites/idtheft/
Some organizations may go a step further and offer you credit monitoring or some other proactive form of identity theft protection at their own expense. However, because New York State law does not require that breaching organizations provide you with any form of proactive protection, you may not be offered this option in all cases. If the breaching organization does offer proactive protection, make sure you understand what services are being offered and under what terms. If the organization does not offer such protection, the organization’s letter should at the very least provide you with the information and guidance you need to do it on your own.
If you do not understand what these steps involve, call the contact person provided in the letter. However, because New York State law requires only that you be provided with a contact person, some letters may simply offer the name and phone number of the contact without any further information. In those cases, you should review the materials available on the Division's website at http://www.consumer.state.ny.us/protecting/identity_theft/ in the section "Identity Theft Prevention and Mitigation Program Resources", especially the brochure "A Consumer's Guide to Preventing and Mitigating Identity Theft." If you have any questions about these materials, contact the Division's Consumer Assistance Unit at 1-800-697-1220 for assistance.
- New York State law” refers to the New York Information Security and Breach Notification Act which amends the General Business Law (Section 899-aa) and the State Technology law (Section 208). ↑
- A sample breach notification letter is available in the section "Security Breach Information for Business" on the New York State Department of State Division of Consumer Protection website at http://www.nysconsumer.gov/pdf/protecting/information_privacy/sample_notification_breach_letter.pdf. ↑