Q: I received a letter in the mail and I'm not sure what it means.
A: The letter is to inform you that an electronic file that contained your name and student identification number, which may be your social security number, was exposed to persons outside of the University. The file was created as part of a process used to update the online directory and create student computer accounts in the 1996-97 academic year. It contained only the name and student identification number.
Q: When did this happen?
A: The file was viewable between April 30, 2002 and May 14, 2002.
Q: I didn't get a letter; how do I know my personal information was not exposed?
A: If you were not enrolled at ISU in the 1996-97 academic year, your information was not on the list. If you were, but did not receive a letter, please call the Registrar's Office to verify that you were on the list, and to update your address so that we may send you a letter.
Q: Was any personal financial information accessed?
A: No. Only the name and student identification number was in the exposed file.
Q: Who might have my personal information?
A: The Office of Information Technology (OIT) is investigating to determine if it is possible to identify those who may have viewed the file.
Q: Is my personal information on the Web? How do you know?
A: There is no evidence that the data in the exposed file has been posted on any website. OIT staff will be diligently searching the web for occurrences of the data.
Q: Will ISU keep checking the Web?
A: Yes, we will keep checking for the next 4-6 months.
Q: If you find evidence of my information on the Web, will you notify me?
A: Yes, immediately.
Q: How can I be sure that this will not happen again?
A: Procedures for periodic review of files, especially after technical changes, have been put into place. While no security can be 100%, we will do what we can to minimize the chances of recurrence.
Q: Do I need to change all my credit card information, etc.?
A: That decision is ultimately up to you; however, it may be premature to take any such action. Since no credit card information was accessible, it would be difficult for the individual to use any existing accounts.
The biggest concern is that someone would initiate new credit accounts or transactions with your name and social security number. Please visit the following credit bureaus to learn more about how to protect against that risk.
Q: What is a fraud alert and should I get one?
A: You may request that a fraud alert be placed on your credit file. For example, Trans Union will post a fraud alert, which remains on file for seven years. The alert will advise credit grantors to contact the consumer prior to extending any new credit. Once an alert is added, you will receive a copy of your credit report. And while your account is under a fraud alert, you will be able to receive free copies of your credit file for about a year. Plan to request a copy at one to two months following the alert being placed on your file.
Q: What steps can I take to protect my information from future misuse?
A: To protect your information from misuse you should monitor any change in mail receipt patterns. Ensure that documents containing personal data or account numbers are destroyed or made illegible before disposing of them. Do not pre-print checks or other documents with unique identifiers such as your driver's license number or social security number. Never give out your account number or identifying information on phone calls in which you did not initiate contact.
Q: What should I do now?
A: Be on the lookout for unusual transactions for the next several months - monitor any change in mail receipt patterns, unexplained cellular phone or credit card accounts; any usage of accounts that you have not initiated. You may also want to review activity on your credit bureau file. Review these web sites for detailed information:
Q: How long am I going to have to be on the lookout?
A: A minimum of several months. However, you should always be on guard to protect yourself from these types of transactions.
The following is excerpted from the statement of Professor Fred H. Cate (Professor of Law, Harry T. Ice Faculty Fellow, and Director of the Information Law and Commerce Institute, Indiana University School of Law -- Bloomington) during the Congressional Briefing on the Public Record: Social Security Numbers and Sensible Policies for the Information Age, Washington, D.C., February 15, 2001.
"Two points are critical here: First, knowing my Social Security Number alone does not get me credit; it is merely a quick way of locating reliable information about me that can be used to verify my identity. Second, the Social Security Number is by no means the only way of accessing that record. Some businesses use telephone numbers or driver license numbers, for example. [...]
"The risk of identity theft or fraudulent misuse of personal information is exceedingly small. This does not, of course, mean that identity theft is not an important issue, but rather that it is among the least common of all frauds perpetrated in the United States. [...]
"Fortunately, when identity theft does happen, consumers are well protected by existing federal and state law. For example, identity theft victims do not have to pay for the fraudulent charges that identity thieves rack up in their victims' names. Those charges are virtually always paid by the merchants from which the goods or services were fraudulently obtained, or the financial institutions who extended credit or whose charge or debit cards were fraudulently used by the identity thieves, ...."
The answers to the following two questions were provided by Robert Boch, District Manager, Social Security Administration:
Q: What can someone do with a stolen SSN?
A: "With just a SSN there is little anyone can do in the way of setting up a false identity or securing credit. Generally an identity thief would need more information and documentation to set up false credit. SSA has significantly tightened our security procedures to prevent someone with a stolen SSN from gaining access to more information through our agency. A foreign national might, although it is unlikely, be able to work under a stolen SSN. This would not have a negative effect on the person whose number was stolen."
Q: How easy is it for someone to get my SSN?
A: "It is normally difficult for anyone who you don't authorize to get your SSN. Normally you have to be the one who provides your SSN. Most significant financial transactions require your SSN. The same is true for employers, most schools, state and other governmental activities. Once your SSN is in circulation, like your name, your SSN will be available to many people. At SSA we rarely find any problems with the actual misuse of a person's SSN.
Remember we give out our credit card numbers to store clerks, over the phone and on the Internet and for most of us nothing goes wrong. The same is true for our SSNs. Often Internet theft of SSNs is done more to prove the hacker can, than to do any actual damage. However, if your SSN is compromised, we recommend that you check with credit bureaus after a month or more has passed to see if any unauthorized activities occur. If that happens contact SSA and we will help you work through the process."
The Social Security Administration has material that explains what to do when identity theft might be a problem. You can call a local office and ask for the booklet "I.D. Theft" and pamphlet "When Someone Misuses Your Number." More information is available on the SSA website at www.ssa.gov.
Q: If I think someone else has used my SSN, what should I do?
A: Go to website www.consumer.gov/idtheft or call 1.877.IDTHEFT for additional information.
Q: Can I get my SSN changed?
A: The Social Security Administration determines that. According to their web page they will only consider it if there has been proven misuse of your SSN. Please review their information at www.ssa.gov.
Copyright © 2010 by Indiana State University.