If you get a letter notifying you that your personal data was involved in a corporate data breach, you should pay close attention, a new report says.
Nearly a quarter of people who receive such letters become victims of identity fraud, the report, from Javelin Strategy & Research, found. (The firm makes a consumer version of its report available free.)
The latest report from Javelin is based on an online survey, using a probability-based panel fielded by Knowledge Networks, which questioned 5,249 adults in the United States from Sept. 20 to Oct. 12, 2012. For questions answered by all participants, the margin of sampling error is plus or minus one percentage point; for questions answered by all 857 participants who were identity fraud victims, it is plus or minus three percentage points.
The annual report found that the incidence of identity theft overall was about 5.3 percent of consumers, compared with 4.9 percent the year before.
Much of the increase was driven by so-called "new account" fraud, involving the unauthorized opening of general use or store brand credit cards, as well as "account takeover" fraud, in which the identity thieves may change consumers' contact information — like their mailing addresses — to gain illegal access to their accounts, the report said.
Data breaches involving Social Security numbers are the most damaging, the report found, because they can be used to open new accounts and authenticate existing ones. Consumers who had their Social Security number compromised in a data breach were five times more likely to be the victim of fraud than consumers on average.
So, what should you do if you get a breach letter?
First, contact the company to make sure the letter is legitimate, Javelin advises. Then, don't take the letter as some sort of reassurance. If you get one, you need to be more vigilant — not less — about checking your account statements and your credit report for suspicious activity, like new accounts you don't remember opening or charges you didn't make.
"We have a national problem, which is getting people to take these notifications seriously," said Jim Van Dyke, Javelin's chief executive.
If the company reporting the breach offers free monitoring of your credit report, you should use it, Mr. Van Dyke advised. "A surprising proportion of people don't even take advantage of an offer of free service," he said. At a minimum, you can check your credit reports without charge at AnnualCreditReport.com. (You can also request one from the different credit bureau — there are three big ones — every four months.)
Putting a security freeze on your credit report stops the fraudulent opening of new accounts without your knowledge. There may, however, be an "inconvenience" factor involved in lifting the freeze, in case you do want to apply for credit, Mr. Van Dyke said. (There's also usually a small fee involved, unless you're already an identity theft victim.)
Putting a fraud alert on your credit report is a less sweeping step that lets lenders know to do extra checking before issuing new credit in your name, and is usually a good idea if your Social Security number is compromised.
A security freeze or fraud alert won't help if the data exposed in the breach was, say, the account number of a credit card you already had open. In that case, you need to check your account regularly — either online, or by checking your paper statement — for suspicious charges. Or, as the Identity Theft Resource Center suggests, you can request a new card with a new account number, if the card company doesn't offer you one voluntarily.
What other steps can you take? In general, Javelin advises, never reveal your full nine-digit Social Security number unless it's necessary. If you're asked for it to establish your identity, ask if you can provide another form of identification instead. Also, ask service providers like cable companies and utilities to replace the last four digits of your Social Security number with a different four-digit security code to validate your identity when you call for service.
Even if you don't get a breach letter, Javelin advises monitoring your bank and credit card accounts electronically at least once a week — and preferably daily. Use whatever method is easiest for you — checking online, via a mobile app, or touch-tone banking. And take advantage of any automatic account alerts your bank offers.