By Kansas Attorney General Derek Schmidt
Several weeks ago, my office was contacted by a retired elementary school teacher with a question. “Marianne” told us her bank had sent her an email reporting that her “online banking account access had been compromised.”
The official-looking email also included an electronic “form” that she was to fill out and send back to correct the data breach. “Marianne” was concerned and a bit puzzled because she does not use online banking. She explained that she prefers to personally visit her branch for her banking services.
Our office advised her to not complete the form and instead to visit her bank immediately and ask a bank official for guidance. As it turns out she was a victim of “phishing” and attempted hacking of her personal account information.
The national news has been full of news reports in recent months about hackers who have breached or hacked computer systems in many companies. Sony, Citigroup, and Morgan Stanley Smith Barney are among the larger firms that have been accessed by hackers or otherwise compromised. Money Magazine reported in its September 2011 issue that the nonprofit Privacy Rights Clearinghouse has traced 313 corporate breaches of personal information about their customers.
It could happen to any of us.
Federal law requires that banks inform customers of breaches, and 46 states – including Kansas – have laws mandating other companies do the same. When a security breach occurs, Kansas law requires the person, business or government entity to conduct a reasonable, prompt investigation to determine the likelihood that personal information has been or will be misused. If it is likely, the affected Kansans must be notified as soon as possible. If more than 1,000 consumers are affected by the breach, the business must also notify national consumer reporting agencies (Equifax, Experian and Trans Union).
In most cases, if the individual, company or government agency does not notify consumers of security breaches as required by statute, our office can help enforce the law requiring them to do so.
Of course, the best way to deal with data security problems is to avoid them in the first place. There are actions you can take to help protect your data from being compromised. Here are a few examples:
PASSWORDS. Experts recommend that you change your password frequently – perhaps monthly. If you find that your password has been exposed, change it immediately and monitor your accounts on a daily basis for any suspicious activity.
CREDIT CARD NUMBERS. Federal law limits your losses from fraud to $50 provided you promptly notify your card company of the false charge. If you find that your account has been breached, it is easy to call your credit card company and ask for a new card and new number. Be sure to monitor your account and notify the company immediately of any unauthorized transactions.
DEBIT OR BANK INFORMATION. If your account number is exposed or stolen, close the account and get one with a new number. Be sure to ask for a verbal password or PIN number for extra security. If only the debit card number was compromised, cancel the card and change the PIN to shut off any access to the account.
SOCIAL SECURITY NUMBER. Since your SSN allows a fraudster to open credit in your name, act fast to request a fraud alert on your credit reports. This will alert lenders to know that they need to take extra security steps before they issue new credit in your name. You can also ask the various credit bureaus to set up a “security freeze” to prevent anyone from opening up new credit in your name.
If you have any questions or if you become the victim of your personal information being compromised, please contact my office at www.ksag.org or call our Consumer Protection Hotline at 1-800-432-2310. We are here to serve you.