In the past several months, a parade of household names -- from Polo and Time Warner to MCI and Bank of America -- have been sending out "oops" letters apologizing for leaving laptops around that are chock full of private data or issuing news releases about possible credit-card theft.
In recent weeks, MCI Inc. began informing about 16,500 current and former employees that their personal data, including Social Security numbers, were on a laptop computer stolen from an employee's car. Bank of America Corporation and Wachovia Corporation are in the process of notifying more than 100,000 current and former customers of a breach in which bank employees allegedly sold account information to someone who sold it to collection agencies.
Last month, Polo Ralph Lauren Corporation said it may have been storing customers' credit-card numbers too long, providing an inviting target for thieves. Tufts University recently warned more than 100,000 alumni of unusual activity on a computer server that contained Social Security numbers. The University of California at Berkeley has been informing alumni, students and applicants that their data were in a laptop that was stolen.
So what are some of the institutions that lost data doing for the affected individuals? Most encouraged individuals to call credit-reporting agencies and put fraud alerts on their files. Time Warner Inc. took an additional step. When it announced on May 2 that a contractor lost a computer backup tape containing the data, including many Social Security numbers, of about 600,000 current and former employees, it offered a year of free credit monitoring. That would normally cost $129.95 a person a year.
The wave of announcements comes as an increasing number of legislators want to force companies to tell affected individuals when a data breach is detected. Already, several states, including California, require various degrees of disclosure; Congress is considering bills on the subject.
Time Warner's offer to pay Equifax Inc. to give potential victims a free year of credit monitoring effectively set a benchmark for others with missing data. With credit monitoring, consumers get alerts when something changes on their credit files. That way, they will find out quickly if a thief is trying to redirect their mail or buy a car in their name, for instance.
Credit monitoring can be helpful because it enables people to track whether changes are legitimate or instances of thieves trying to open new accounts.
By Sept. 1, everyone in the United States will be able to order a free annual report from the three big credit-reporting agencies: Equifax, GUS PLC's Experian and TransUnion LLC. Credit reports, while valuable, simply provide a snapshot of your loans and creditworthiness at a particular moment.
To explore how some companies are dealing with potential victims of identity theft and credit-card fraud, we enlisted several Wall Street Journal colleagues who had dealings with organizations that recently disclosed breaches.
Each institution was contacted by the affected staffer, who didn't reveal his or her Journal affiliation.
Time Warner set up a toll-free number for people with questions. When our reporter called in the first days after the company's announcement, the person who answered didn't know how to deal with a former Time Warner employee whose address had changed.
She told him to call Time Warner directly but didn't have its number. When he called the Time Warner switchboard operator, she had no idea where to direct him. Finally, someone in human resources took his address and said he would get a letter within two weeks with a promotion code to use when ordering the free credit monitoring. It never came. He called the 800 number again and finally was able to get the code.
When we talked to a Time Warner spokeswoman about the test, she said, "We take security very seriously and worked overtime to provide accurate resources as quickly as possible."
So far, the company hasn't heard of any reports of thieves attempting to use the data. And we are well aware that it is much easier for a bank employee or postal worker to steal our data than it would be for a person trying to upload Time Warner's backup tape.
According to a 2003 Federal Trade Commission survey, 1.5 percent of participants reported thieves opening new credit accounts or otherwise impersonating them in the previous year. Theft or other misuse of existing credit-card accounts happened to 2.4 percent of respondents.
At Berkeley and Tufts, however, there was theft or unusual computer activity that left Social Security numbers, which are vital to opening credit accounts in someone else's name, vulnerable.
Berkeley and Tufts suggested that we place a fraud alert on our credit accounts. Equifax, Experian and Transunion will do this for free for anyone who thinks thieves have their data. For 90 days after that (or longer if you extend the alert), credit-card application clerks, cell phone-store employees and others should see the alert anytime anyone tries to open an account in your name.
According to Equifax, the number of people asking for alerts has gone up significantly in the past year.
Berkeley and Tufts didn't offer to pay for credit monitoring. At Tufts, where our reporter attended graduate school, it turned out that his Social Security number wasn't among those exposed.
A Tufts spokeswoman says that while it was unlikely that it will pay for credit monitoring in the future, alumni can call 1-800-737-7035 to ask the school to remove their Social Security numbers from its records.
At Berkeley, where our reporter applied to -- but didn't attend -- graduate school, a staffer offered this explanation as to why Berkeley wasn't offering free credit monitoring: It was too expensive, and police were certain the thief wanted the laptop, not the data.
When we called back later and talked to a spokeswoman, she said both the police and the school's information-technology director believe the risk of identity theft wasn't enough to warrant paying for monitoring. She added that the school has kept Social Security numbers in its files to track data that it uses for research and noted that many other universities have similar practices. The university is re-evaluating its policies.
Polo provided no advice to consumers and made no public offers of assistance that we could find on its Web site. A Polo spokeswoman referred us to an April 14 statement that says "the company is confident that its credit-card system is secure."
Neal Boudette, Liz Holtzman, Susan Lillo and Jessica Mintz contributed to this article.
Journal Link: See ways to check if your personal information is secure in the workplace, at WSJ.com/PersonalJournal.
Polo Ralph Lauren
What happened: The software the company was using at its stores may have retained an unknown number of credit-card numbers for too long.
Offer to affected parties: None that we could find.
Level of service: When we called a Polo store for information, an employee said the problem was the fault of our credit-card company.
Bottom line: We wish Polo had done a better job communicating with workers and customers once the credit-card companies brought the situation to light.
What happened: A contractor moving backup tapes discovered that one containing data, including many Social Security numbers, on 600,000 current and former employees, was missing.
Offer to affected parties: A year of free credit monitoring, which would have cost $129.95 a person had people bought it directly from Experian.
Level of service: Workers at Time Warner's 800 number couldn't answer most of our questions. It took two weeks to get signed up for monitoring.
Bottom line: Its data may have been lost, not stolen, but the company still gave monitoring to everyone. That offer sets a new standard, though the execution was flawed.
What happened: Unusual activity on a computer with data, including some Social Security numbers, on 106,000 alumni.
Offer to affected parties: Set up an 800 number for questions and encouraged people to put (free) alerts on their credit reports. Didn't pay for monitoring.
Level of service: A helpful woman in the alumni office determined that our Social Security number wasn't on the computer.
Bottom line: Though the school says it is unlikely to pay for credit monitoring in the future, alumni can ask that their Social Security numbers be removed from their records.
University of California, Berkeley
What happened: A stolen laptop with many Social Security numbers belonging to 98,000 students, alumni and applicants.
Offer to affected parties: Set up a hot line and encouraged people to put alerts on their credit reports. Didn't pay for monitoring.
Level of service: Its call center transferred us directly to a knowledgeable person, something Time Warner couldn't do.
Bottom line: The people we spoke to couldn't have been more helpful and contrite, but free monitoring would have been nice.
What happened: Four computers with data were stolen from a vendor that prints loan statements.
Offer to affected parties: Offered a year of free credit monitoring using its own service.
Level of service: Let us sign up for the credit monitoring, even though the offer expired more than six weeks before.
Bottom line: We appreciated the bank's generosity, but we were surprised that our breach was the third such incident recently.