I write frequently about the major credit reporting agencies since they collect and archive the most sensitive personal and financial data about consumers. Given that, this is a data breach that shouldn't have happened.
In many states, companies are required by state law to report data breaches. Maryland is one of the few states that publishes these breach letters online so that its residence can easily confirm any breach notification letters received (and make sure that the letters aren't phishing attempts). The June 26, 2009 breach notification letter from Laura Mundy, Vice President of Regulatory Compliance at Experian:
"In accordance with state law, I wish to inform you that Experian, one of the nationwide credit reporting agencies intends to notify twenty Maryland residents about unauthorized access to their personal information. The residents will be notified by US mail this week and will be provided credit monitoring services. A copy of the written notification is enclosed.
Experian, one of the nationwide credit reporting agencies identified that consumer information was recently accessed online after methods to authenticate their identity were completed successfully by unknown individuals. The consumer information consists of information typically found in a consumer credit report. Such information includes the consumer's name and address and one or more of the following: Social Security Number or date of birth. Experian is actively working with law enforcement to investigate this matter."
In my opinion, never has so many words said so little. This letter says the absolute bare minimum about the breach -- when it happened, why it happened, and what Experian is doing to prevent a similar incident in the future. A breach notification letter's contents should not vary whether the breach affected 20, 200 or 2 million consumers.
Experian's breach notification letter did a good job of directing consumers to www.experian.com/fraud if they have questions, and to partner.consumerinfo.com/deluxe to learn more about the post-breach credit monitoring service offered. The letter should have also:
- Explained why the free credit monitoring services offer is only for one year and not longer, since the risk to the consumer is longer
- Provided a description of any credit resolution services included in the credit monitoring services offer
- Offered to cover the cost of consumers' Security Freeze fees to protect their credit reports
- Offered to reimburse consumers for the annual cost of free credit monitoring period if the consumer already has a credit monitoring service in place. Otherwise, these consumers get nothing from Experian.
- What Experian is doing so a breach like this doesn't happen again