It's not unlikely that sometime in the future - perhaps the near future - you will receive a letter notifying you that private information about you has in some way been compromised, and that theft of identity is a possibility.
Given the fast growing problem of ID theft, what should you do when you receive such a notice? Above all the one thing you should not do is do nothing. Don't ignore the letter; but on the other hand, don't panic either.
It used to be when a company or institution had a data breach they played things very close to their vests. Fearing a public relations disaster, or in the care of a publicly traded entity a falling stock price, it could be weeks or months before they admitted the breach and then they did so offering as little information as they thought they could get away with.
Now many state and federal laws and regulations require holders of others' personal data to quickly admit to any breach and to do so in sufficient detail so the recipient can judge for themselves the seriousness of the breach and possibility the likelihood of theft of identity.
But, again, the question of what should you do if you receive such a notice.
We need to go back to something we have said a number of times in this space: all data breaches are not the same and the level of possible theft of identity is not equal.
Was your data being held by some large organization that admits its computer system was hacked by professionals either here or abroad, and that your information was not encrypted.
Was a smaller organization your data was held by, perhaps a medical practice or a school or church group violated by an employee found to have been selling personal data.
If either of these situations, or something similar occurred, then quite possibly you have an immediate problem because the breach appears to have specifically been targeting personal information for the purpose of ID theft.
On the other hand, does the notice say that someone in the organization lost a notebook computer on which was an encrypted file that contained your and others' data. Or possibly, that a break-in occurred in which a number of computers with encrypted data files were stolen. Or even that a computer tape containing personal information was lost in transit.
In all of these situations it is reasonable to assume that the stealing of the computers was for the purpose of sealing computers and not to acquire the data on them. Or that at times parcels - even those containing computer tapes - simply go lost. Here the danger of your personal information being used to hurt you or to steal from you is much less.
Your response to these different scenarios should be different. If you believe it possible that the breach involving your personal information was for criminal reasons, then you should act promptly. But if the loss of your information was likely just incidental than you might just assume a wait and see attitude.
Many breach notifications, especially those in which the breach on its face seems nefarious, there will come an offer to give you free monitoring of your credit report for a certain period. By all means accept the offer, but do so realizing the limits of protection such monitoring alone represents. You might want to engage a more inclusive monitoring by a service like our Identity Guard. You also might want to put a freeze on your credit report at the three reporting agencies.
In any event, even when the exposure of your data seems off handed, you should closely monitor all your monthly statements for any suspicious activity. If you spot any, you should report it immediately and then go to the next steps like getting new credit cards with changed account numbers or new account numbers, changing all your passwords, putting a fraud report on your credit report, and other pro-active measures. A good service can help you do all the necessary things.