Don’t ignore a data breach letter

by Jeff Blyskal, Consumer Reports

Skeptical consumers, take heed: If you receive a notice that your personal data has been breached, pay attention and take free self-help steps to protect yourself from identity fraud. Data-breach notifications have become an increasingly reliable predictor of identity fraud headed your way, according to the latest annual survey by Javelin Strategy and Research, the California consulting firm that has studied this crime for 10 years.

Unfortunately, "we find that consumers often ignore these letters," says Jim Van Dyke, Javelin’s president. That arguably made some sense four years ago, when only 10 percent of breach-notice recipients had subsequently become victims of identity fraud, but it can be a mistake now.

The 2012 survey of more than 5,000 consumers’ experience with ID fraud found that 22.5 percent of breach notice recipients had subsequently become victims of the crime, the highest of a persistently rising rate since 2009. That’s almost eight times the 2.9 percent ID fraud rate for consumers who hadn’t received a breach notice.

Worse still, identity thieves tend to attack breach victims with new-account fraud’opening new credit accounts in their name’a less common but more onerous type of identity fraud, because it’s more complicated to correct and hits victims with higher out-of-pocket losses.

Since 2003, when California became the first state to require such notifications, 46 states and the District of Columbia now mandate that banks, retailers, health care providers, and other companies alert their customers when the company has lost their Social Security number or other private identifying information, due to negligence or theft.

Last year alone, 680 breaches involving the information of more than 24 million people were publicly reported, according to the Privacy Rights Clearinghouse, the San Diego-based organization that has been tracking breaches since 2005 and which says its total is conservative.

If you receive a breach notification, take these no-cost precautions:

1) Immediately add a fraud alert to your credit report by contacting any one of the big three credit bureaus’Equifax, Experian, and TransUnion’which warns prospective creditors who pull your file that your identity data has been stolen and the person applying for credit in your name may not be you. This is a quick but imperfect stopgap, because lenders don’t always read or heed fraud alerts.

2) Place a security freeze on your credit reports by individually contacting all three credit bureaus online, by phone, or by mail. That blocks access to your report by prospective lenders who don’t already do business with you, a considerable impediment for a crook applying for new credit in your name. Since you’ve been notified of a data breach, you’re already an ID theft victim, and the freezes should be free.

3) Close any affected accounts and put yourself on a schedule of regularly monitoring your financial accounts and credit reports.

4) And, as we advised in the January issue of Consumer Reports, don’t waste $120 to $300 a year paying for ID protection services. They don’t cover you after the fact anyway.

Although you should take ID theft and a breach notice seriously, don’t panic. The vast majority of what is now called ID fraud actually involves the theft of your existing credit and debit cards. Your liability for those losses is limited by consumer protection laws’often to nothing, under card issuer’s zero liability policies.

Most victims of existing account fraud suffer no losses personally, though the average was $336 last year, in part because the financial institutions that are legally on the hook for losses are doing a better job at stopping ID thieves themselves.

Although the total number of ID fraud victims was up last year, to 12.5 million vs. 11.6 million in 2011, that’s still below the 2009 peak of 13.9 million. Meanwhile, new account fraud, which has historically affected only 0.8 percent of the population, increased last year to 1.2 percent, but consumer out-of-pocket losses for that type of ID fraud were down last year, to $952 from $1,205 in 2011.