If you live in Ohio, by now you’ve heard about the loss of the computer backup tape. You may even have received a notice from the state that your information was on the lost tape. By some estimates, the information from as many as one in six Ohio taxpayers was on the tape in one form or another.
On 10 June, the tape was stolen from a state employee’s car. The employee had the tape off-site as part of their regular backup procedures to ensure that they would be able to restore their computer systems if something happened to their data center. By all accounts, the information was stored on the tape in a proprietary format that would be very difficult for any outsider to read or interpret. If you’ve received one of these notices, the probability that your information will be misused is extremely low. You are at far greater risk of identity theft from a family member or friend than from an anonymous crime of opportunity.
If you have received such a notice, you do have a few choices. First, verify that the notice is legitimate. The first round of notices went out from the Ohio Department of Taxation. The second round came from the Ohio Department of Administrative Services. There are unconfirmed reports of fake notices but you can confirm the real notice by going to the state’s official site at www.ohio.gov/idprotect/. Don’t respond to any telephone call or email on this topic. The state is contacting individuals only by mail.
Second, I strongly recommend that you check your credit report regardless of whether you’ve received a notice or not. You are entitled to a free copy of your credit report every 12 months. Look for accounts that you didn’t open. If you find something suspicious, follow the dispute-resolution procedures included with the credit report. Consider checking just one of the three major agencies right now, the next in 4 months and the last in 8 months. That gives pretty good coverage at three times the frequency.
Third, watch your existing accounts carefully. Check for unauthorized charges or withdrawals and watch out for missing monthly statements or bills. Hackers often file a change-of-address to keep you from noticing the abuse. Call your financial institution if you see anything suspicious.
Fourth, think about the identity theft service offered by the state. The state has contracted with Debix to put a fraud alert on your credit report if you sign up with them. You can do the same thing in a few minutes by calling or mailing the fraud department of the credit bureaus. They also offer some other services, but again, nothing that you can’t do for yourself (and have probably already done if you’ve been reading our Tips regularly). Personally, I will not be giving yet another copy of all my personal information to a state-contracted agency when I can do it so easily myself. Note: the fraud alerts expire every three months. Don’t forget to renew. And remember that while most creditors will check before opening a new account, they are not required by law to do so. A fraud alert does not replace checking your credit report regularly.
On the other hand, if you don’t think that you’ll remember to check your credit report regularly, a service like Debix can be useful.
If you received the notice for your company (rather than about your personal information), there is nothing special that you need to do. It is much harder to abuse a corporate tax ID number than it is to abuse a SSN. Your organization’s normal fraud-control procedures are probably sufficient to protect the company.
You should also learn from the state’s example. Protect your company from a similar breach by reviewing and updating your data backup procedures. Make sure that the off-site backups are kept well protected and are encrypted if at all possible.
Leave a Reply