Tools: What and How To Tell Customers About a Breach
Sample Notification Letter:
We regret to inform you that an incident has occurred which may have compromised the security of a database containing some of your personal information. We apologize for any inconvenience this may cause you.
[Describe the information compromise and how you are responding to it.]
Canada's major credit reporting agencies, Equifax and TransUnion, have been notified of this breach and have provided the following compromise number : XXXXX. This number should be referred to in any communication with them. They recommend that you call their agents to discuss whether a fraud alert should be placed on your credit file and what other steps are required (Equifax: 1-866-779-6440 and TransUnion Canada:1-877-525-3823).
A fraud alert tells creditors to contact you before they extend credit, open a new account or change your existing accounts. You should be aware that while most creditors will call you, they are not obliged by law to do so, thus it is not fail-proof protection.
Report any unauthorized activity as soon as you are aware of it to your financial institution, the credit reporting and law enforcement agencies, and the Canadian Anti-Fraud Centre (1-888-495-8501).
A police report has been prepared on this incident; the number of the report is YYYYY. Your financial institution or other creditors may require the police report to clear you of any fraudulent charges that may occur.
With appropriate identification, you can also request that a copy of your credit report be mailed from the Credit Reporting Agencies to you free of charge. Visit their Web sites for details on what is considered to be acceptable identification. If you receive a copy of your report and do not find any unauthorized activity, it is recommended that you continue to check your credit reports periodically.
We are recommending that you take these precautions to reduce the risk of financial losses or your information being used for illegal purposes.
We recommend that you visit www.cmcweb.ca/idtheft to obtain information on identity theft including:
- Tips for Reducing the Risk of Identity Theft
- What to do if it happens to you
- Identity Theft Statement
- Frequently Asked Questions
- Consumer Identity Theft Checklist
Our organization's information officer is [insert name of person responsible for administration related to breach] and can be contacted at [telephone number and address if applicable] if you have any questions.
Once again, we regret any inconvenience this incident may cause you.
What To Say and How To Respond When a Thief Strikes
Sample Questions and Responses
If someone else's identifying information is breached, they are going to have questions. Prepare your staff to speak with whomever was affected - customers, suppliers, partners - or any other organization connected to your business. Be specific and act quickly.
- Question: What personal information of mine was lost?
- Response: You will need to inform potential victims of what was lost to prevent or repair possible damage.
- Question: Why did you have this personal information in the first place?
- Response: Under privacy laws, organizations must identify the purposes for collecting personal information at or before the time of collection. You should also be prepared to explain why it was necessary to store it.
- Question: When was it lost?
- Response: Timing is important if a victim reports a possible theft, because credit issuers need to know when fraudulent charges might appear.
- Question: How did it happen?
- Response: An explanation will be required. The more steps you have taken to prevent a breach, the safer your measures of prevention and management, the better your position for answering this question.
- Question: What are you doing to fix the problem?
- Response: You should prepare a response carefully, including the corrective action you have taken.
- Question: What can an ID thief do with my information?
- Response: It will depend on what data was accessed. Common forms of fraud using personal information include: fraudulent charges to existing credit cards or bank accounts, opening new credit accounts in another's name, opening cell phone or other accounts in another's name.
- Question: How can I protect myself now that this incident has occurred?
- Response: Tell potential victims to contact credit reporting agencies and financial institutions to ask for a fraud alert, and to check their credit report at least annually.
- Question: If I put a fraud alert on my file, does it guarantee that credit will not be issued without first contacting me?
- Response: Let them know that, while most creditors will call, they are not obliged by law to do so, thus it is not a fail-proof protection.
- Recognize it.
- Report it.
- Stop it.