So your employer 'lost' your information
Here's what to do if you get the bad news.
NEW YORK (CNN/Money) - Millions of employees and consumers have gotten some unwelcome news in 2005. They were told that their personal information was lost or had been stolen.
That personal information included names, Social Security numbers and other valuable identifiers.
The breaches may have been due to human error or, more troubling, a heist by identity thieves or other criminally minded menaces.
If you find an e-mail from your company telling you that there's been a security breach of employees' information, chances are you won't know for a while whether theft was the cause.
In the meantime, there are steps you can take to prevent your information from being used fraudulently.
Put a fraud alert on your credit reports. A fraud alert tells companies that they should call you to verify your identity whenever they check your credit report with the intention of opening an account in your name or making any changes to an existing one.
So, for example, if someone is fraudulently trying to set up a cell phone account in your name, the creditor will call you first.
Put a fraud alert on your credit reports at all three credit bureaus -- Equifax (800-525-6285), Experian (888-397-3742) and TransUnion (800-680-7289).
It's a relatively quick process that you can do by phone via the credit bureaus' automated systems.
You will need to punch in your Social Security number and other identifying information. You'll also be asked to give your phone number. Attorney Mari Frank, author of books on privacy and identity theft, recommends you give your cell-phone number so that creditors can reach you easily.
Technically, if you tell one bureau to put a fraud alert on your report, that bureau will alert the other two so you don't have to. But Sheila Gordon, director of victim services at the Identity Theft Resource Center, said this process can take a while, so she recommends you call each bureau individually.
The bureau should send you a letter of confirmation within a week with instructions about how to order your free credit report.
The fraud alert is free and lasts 90 days. Gordon and Frank recommend you renew that alert every three months for at least a year, since identity thieves may take their time before using your information. A spokesman for Equifax recommends renewing it a couple of weeks before the expiration of the current alert.
Putting an alert on your credit reports might delay the granting of instant credit, but it should not lower your credit score or prevent you from getting a loan.
The law requires creditors to respond to fraud alerts, but there is no penalty if they don't, Frank said. That's why it's important to be vigilant about checking your credit report for suspicious activity every few months.
Order the reports directly from the bureau. Doing so from third parties -- for example, through a lender -- can lower your credit score.
If you live in California, Texas, Vermont or Louisiana, you also are allowed to put a freeze on your credit report -- meaning that no one can view it unless you give them a password to access it, Frank said.
Consider signing up for a credit monitoring service. Your employer may offer to pay for this service with the credit bureaus for a period of time.
The service will alert you when there have been major changes in any of your credit reports and may include free access to your credit reports for a period of time.
What it won't do is protect your identity, Gordon said. That is, you will be alerted to changes on your report, but it won't prevent those changes.
What's more, she said, if you're thinking of signing up for the service on your company's dime, you may be signing away your rights to a class-action lawsuit. So first inquire whether you can sign up without signing away your rights.
Tell your beneficiaries. If the lost or stolen employee data were used primarily for human resource issues -- e.g., compensation, benefits and retirement planning -- it's likely the Social Security numbers of the beneficiaries on your 401(k) account or life insurance policy might be compromised as well.
Alert those beneficiaries about the breach and suggest they follow the same steps you're taking.
Change your bank account numbers. If you use direct deposit and the data stolen had to do with compensation issues, you might want to change your bank account numbers.
When changing your account, make sure you use a password and Personal Identification Number (PIN) that is not your mother's maiden name, your birth date, your Social Security number or any part of it, or any other easily guessed code.
Once your account is changed, you should receive a new ATM or debit card as well as new checks. (Gordon recommends shredding your old checks.)
Also, be sure to alert any company whose bills you pay directly from your bank account about the change in account numbers.
Change identifiers on your 401(k), life insurance policy and stock-options brokerage account. Again, if it's primarily HR data that have gone missing, anyone using that information may be able to access your 401(k) account, your life insurance policy or accounts holding your stock options. So it may be worth changing those account numbers and passwords as well.
If it's not possible to change the insurance policy number, Gordon said, ask if it's at least possible to password protect it.
Insist on identifiers other than your Social Security number. If your employer still uses your Social Security number as your identification number to grant you access to your own files on the company's intranet, now is the time to request that they assign employees an identifier of randomly selected numbers instead.
The same goes for your health insurance policy.
Opt out of pre-approved credit offers. To put a stop to pre-approved offers for credit and insurance -- the majority of which are generated by lenders using information from the major credit bureaus and consumer credit information provider Innovis -- call the Automated Credit Reporting Industry (888-567-8688).
Monitor your accounts for any irregularities over the next few years. Even after taking these steps, you will want to keep a close eye on your accounts, Gordon said. Here are her recommendations:
For more about what you can do about identity theft, click here.
The original version of this story advised against using services like MyFreeCreditReport.com to obtain your credit report because it could lower your credit score. A spokesman for TrueCredit called to say that his company believes MyFreeCreditReport.com may, in fact, be a phishing site since it uses the logo of TrueCredit's corporate parent TrueLink, even though it is not a TrueLink site. The spokesman said TrueCredit is trying to identify and contact the person or business that registered the site.