So your employer 'lost' your information
Here's what to do if you get the bad news.
By Jeanne Sahadi, CNN/Money senior writer

NEW YORK (CNN/Money) - Millions of employees and consumers have gotten some unwelcome news in 2005. They were told that their personal information was lost or had been stolen.

That personal information included names, Social Security numbers and other valuable identifiers.

Related stories
Fund clients vulnerable to ID theft? ()
ID theft: The real risk ()
1.4 million records stolen from retailer ()
Damage control for identity theft ()
ChoicePoint: More ID theft warnings ()

The breaches may have been due to human error or, more troubling, a heist by identity thieves or other criminally minded menaces.

If you find an e-mail from your company telling you that there's been a security breach of employees' information, chances are you won't know for a while whether theft was the cause.

In the meantime, there are steps you can take to prevent your information from being used fraudulently.

Put a fraud alert on your credit reports. A fraud alert tells companies that they should call you to verify your identity whenever they check your credit report with the intention of opening an account in your name or making any changes to an existing one.

So, for example, if someone is fraudulently trying to set up a cell phone account in your name, the creditor will call you first.

Put a fraud alert on your credit reports at all three credit bureaus -- Equifax (800-525-6285), Experian (888-397-3742) and TransUnion (800-680-7289).

It's a relatively quick process that you can do by phone via the credit bureaus' automated systems.

You will need to punch in your Social Security number and other identifying information. You'll also be asked to give your phone number. Attorney Mari Frank, author of books on privacy and identity theft, recommends you give your cell-phone number so that creditors can reach you easily.

Technically, if you tell one bureau to put a fraud alert on your report, that bureau will alert the other two so you don't have to. But Sheila Gordon, director of victim services at the Identity Theft Resource Center, said this process can take a while, so she recommends you call each bureau individually.

The bureau should send you a letter of confirmation within a week with instructions about how to order your free credit report.

The fraud alert is free and lasts 90 days. Gordon and Frank recommend you renew that alert every three months for at least a year, since identity thieves may take their time before using your information. A spokesman for Equifax recommends renewing it a couple of weeks before the expiration of the current alert.

Putting an alert on your credit reports might delay the granting of instant credit, but it should not lower your credit score or prevent you from getting a loan.

The law requires creditors to respond to fraud alerts, but there is no penalty if they don't, Frank said. That's why it's important to be vigilant about checking your credit report for suspicious activity every few months.

Order the reports directly from the bureau. Doing so from third parties -- for example, through a lender -- can lower your credit score.

If you live in California, Texas, Vermont or Louisiana, you also are allowed to put a freeze on your credit report -- meaning that no one can view it unless you give them a password to access it, Frank said.

Consider signing up for a credit monitoring service. Your employer may offer to pay for this service with the credit bureaus for a period of time.

The service will alert you when there have been major changes in any of your credit reports and may include free access to your credit reports for a period of time.

What it won't do is protect your identity, Gordon said. That is, you will be alerted to changes on your report, but it won't prevent those changes.

What's more, she said, if you're thinking of signing up for the service on your company's dime, you may be signing away your rights to a class-action lawsuit. So first inquire whether you can sign up without signing away your rights.

Tell your beneficiaries. If the lost or stolen employee data were used primarily for human resource issues -- e.g., compensation, benefits and retirement planning -- it's likely the Social Security numbers of the beneficiaries on your 401(k) account or life insurance policy might be compromised as well.

Alert those beneficiaries about the breach and suggest they follow the same steps you're taking.

Change your bank account numbers. If you use direct deposit and the data stolen had to do with compensation issues, you might want to change your bank account numbers.

When changing your account, make sure you use a password and Personal Identification Number (PIN) that is not your mother's maiden name, your birth date, your Social Security number or any part of it, or any other easily guessed code.

Once your account is changed, you should receive a new ATM or debit card as well as new checks. (Gordon recommends shredding your old checks.)

Also, be sure to alert any company whose bills you pay directly from your bank account about the change in account numbers.

Change identifiers on your 401(k), life insurance policy and stock-options brokerage account. Again, if it's primarily HR data that have gone missing, anyone using that information may be able to access your 401(k) account, your life insurance policy or accounts holding your stock options. So it may be worth changing those account numbers and passwords as well.

If it's not possible to change the insurance policy number, Gordon said, ask if it's at least possible to password protect it.

Insist on identifiers other than your Social Security number. If your employer still uses your Social Security number as your identification number to grant you access to your own files on the company's intranet, now is the time to request that they assign employees an identifier of randomly selected numbers instead.

The same goes for your health insurance policy.

Opt out of pre-approved credit offers. To put a stop to pre-approved offers for credit and insurance -- the majority of which are generated by lenders using information from the major credit bureaus and consumer credit information provider Innovis -- call the Automated Credit Reporting Industry (888-567-8688).

Monitor your accounts for any irregularities over the next few years. Even after taking these steps, you will want to keep a close eye on your accounts, Gordon said. Here are her recommendations:

  • Check your annual earnings statement from the Social Security Administration and make sure it squares with the money you've earned this year.
  • Check your 401(k) account periodically to make sure no one has cashed out or rolled over any of your balance.
  • Check any notices from the IRS that indicate you haven't paid taxes on certain earnings, which may indicate someone is working under your Social Security number.
  • Check your credit report for any new loans (e.g., home, car, school) taken out in your name or new credit card accounts you didn't open.

For more about what you can do about identity theft, click here.

The original version of this story advised against using services like MyFreeCreditReport.com to obtain your credit report because it could lower your credit score. A spokesman for TrueCredit called to say that his company believes MyFreeCreditReport.com may, in fact, be a phishing site since it uses the logo of TrueCredit's corporate parent TrueLink, even though it is not a TrueLink site. The spokesman said TrueCredit is trying to identify and contact the person or business that registered the site. Top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.