How to respond to a data-breach notification

Last Friday, a reader named Peter contacted me about a notice that appeared when he tried to sign into his Marriott Rewards account. The notice indicated that someone may have attempted to hack the account and he should change his password. Peter initiated a live chat with the Marriott help desk and was told the following:

"There have recently been attempts made to gain unauthorized access to a small number of members' online accounts. I encourage you to visit Marriott.com and change your password as soon as possible to assist us in ensuring the security of your account."

When Peter asked the agent whether his account had been compromised, the agent refused to provide any further details. This made Peter suspicious, and rightly so. We've become accustomed to phishing scams that attempt to trick us into changing our log-in IDs and passwords so the phishers can capture them and then steal our data.

Take the initiative when you suspect your personal data is at risk
Peter responded to Marriott.com's security notification exactly as the experts recommend: before making any changes to your account ID or password, confirm the notice's authenticity. As Dennis Schaal reported earlier this month on the Skift travel site, Marriott cut off access to Marriott Rewards accounts from mobile devices until members had changed their passwords.

Schaal quotes a Marriott spokeswoman who claimed no credit-card or Social Security numbers were compromised by the hack attempts, although she said it was "virtually impossible" for the company to determine whether any accounts were breached and if so, which ones.

Where does that leave Peter and other Marriott Rewards members? At least they know the alert was legitimate, but they don't know whether they need to take any precautions beyond simply changing their Marriott.com password.

Even the obvious first step of changing the potentially compromised account's password might be more complicated than it appears. If you've set your browser to remember your passwords, recorded your passwords on paper or in a data file, or use a password manager, those lists will have to be updated as well.

While many experts recommend using a password-management product such as LastPass, I'm not sold on the concept. For me, such services create another potential target for hackers. Writing down your passwords presents problems as well. (Last October, I explained "The safe way to 'write down' your passwords.")

A post from December 2001 titled "Mastering the art of passwords" discussed the pros and cons of password managers. That post described my favorite password-creation technique, which doesn't require using a separate program or writing passwords on paper.

Start with something you've already memorized, such as a song lyric, a line from a poem, or the names of siblings, cousins, or friends. Then use the second, third, or last letters of those words as your passphrase.

For example, if you choose the nursery-rhyme line "Hickory dickory dock, the mouse ran up the clock," combine the third letters of each word (or the last letter for words shorter than three letters) to create your passphrase: "ccceunpeo." For added protection, start the third-letter sequence with the last word of the line and end with the first word.

Security experts recommend that you use a different passphrase at each site you frequent. The above mnemonic method facilitates use of unique passphrases at various sites: start or end the letter sequence with the same-number letter of that particular service. So at Amazon, for example, the above passphrase would be "accceunpeo" (starting with the third letter of the word "Amazon").

Keep a close watch on your credit activity
After you've changed your password, the next step is to determine what data may have been compromised. In Peter's case, it's possible that hackers accessed the credit card associated with his Marriott Rewards account. The obvious response is to monitor future statements for that account to ensure no unauthorized charges appear.

If you have online access to the account activity, you can check for bogus charges without having to wait for a statement to arrive. Many credit-card companies let you sign up for e-mail or text alerts whenever particular transactions occur.

The Privacy Rights Clearinghouse's "How to Deal with a Security Breach" page emphasizes the importance of disputing fraudulent charges right away. When you dispute a charge, the company will likely cancel the current account and issue you a new card and account number.

Timely reporting is even more important if the charge is to a debit card account, as explained on the Privacy Rights Clearinghouse's "Paper or Plastic: What Have You Got to Lose?" page. (The PRC recommends that you never use or even carry debit cards because they lack the protections of credit cards.)

If there's a chance your Social Security number has been stolen, the thieves may use the SSN to open new credit accounts in your name. That's why you need to place a fraud alert on your accounts with one of the three credit-reporting agencies. You also need to monitor your credit report regularly.

For an added level of protection, you can place a security freeze on your credit accounts that prevents anyone from accessing your credit information unless you explicitly allow it. The PRC's Security Breach fact sheet has information for contacting the credit bureaus to request a fraud alert and for signing up or a security freeze.

When you request a fraud alert from one reporting agency, that company will contact the other two agencies for you. The alert will be in place for 90 days, although you can cancel it at any time or extend it as long as seven years.

A security freeze generally costs from $5 to $10 to place and to remove, although in California and some other states, identity-theft victims can get a security freeze for free. The two official sources for free annual credit reports are the US Federal Trade Commission's Free Credit Reports site and AnnualCreditReport.com (877-322-8228).

Because you can request a free report from each of the three credit-reporting agencies once a year, you could get a free report from one of the three every four months.

Years ago, I was the victim of a fraud attempt. I subsequently signed up for a credit-monitoring service that charges an annual fee. The service sends me complete reports quarterly and alerts whenever an organization requests my data from one of the three credit-reporting agencies. For me, the peace of mind the monitoring service offers is worth the expense, although many people would find such credit monitoring unnecessary.

The Equifax Finance Blog's "Identity Theft: Dealing with a Data Breach" page explains what happens when you request a fraud alert or security freeze. The blog points out that your stolen information may not be used by the hackers for a year or more, so it's imperative to continue monitoring your credit activity.

When are companies required to notify customers of data breaches?
Marriott's refusal to offer any details about the possible hack attempt against Peter isn't unusual. The likelihood that you'll be contacted at all when an organization loses or may have lost your private data depends on where you live.

According to the Open Security Foundation's DataLossDB, 47 states have enacted laws requiring that consumers be notified of breaches that put their personal information at risk. However, only 12 states combine the notification requirement with open record or freedom of information legislation and a centralized authority, such as the Attorney General or consumer protection division, to which breaches are reported.

Federal regulations cover breaches of medical data. In August 2009, the U.S. Department of Health and Human Services issued the Breach Notification Rule, which implements section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act and applies to "HIPAA covered entities and their business associates." (HIPAA is the Health Insurance Portability and Accountability Act of 1996.)

As part of the American Reinvestment and Recovery Act of 2009, the U.S. Federal Trade Commission issued a Final Breach Notification Rule for Electronic Health Information that applies to "vendors...which provide online repositories that people can use to keep track of their health information and entities that offer third-party applications for personal health records."

There is no federal requirement that other public and private organizations notify consumers when their personal data may have been compromised. The Congressional Research Service's 2010 report titled "Federal Information Security and Data Breach Notification Laws" (PDF) points out that state privacy laws are much more likely to require that public and private entities notify consumers who may have been affected by a data breach.

The National Council of State Legislatures provides an overview of state security breach notification laws. The Intersections Consumer Notification Guide (PDF) explains the particulars of each state's notification requirements.

Last month on the Sophos Naked Security blog, Chester Wisniewski examined recent changes in state data-breach notification laws, some changes for better and some for worse.

After four failed attempts dating back to 2005, Congress appears to be poised to make yet another attempt at passing a comprehensive breach-notification law. Victor Li explains on the Legal Intelligencer site that the House Energy and Commerce Committee's trade subcommittee took up the matter in a hearing last month at which several industry representatives and privacy experts testified.

One of the major unsettled issues is whether a federal notification law would supersede state laws or complement existing state notification requirements. On the one hand, complying with various state notification laws creates a bureaucratic nightmare for some companies. On the other hand, privacy advocates fear a single federal regulation would wipe out some existing state-mandated consumer protections.