Security Incident
Frequently Asked Questions (FAQs)

FOR INTERNAL USE ONLY

Questions About The Incident

1. What happened?

On June 17, 2015, a human resources employee discovered, during a business trip, that he had left his Company-issued laptop computer in the pocket of his airplane seat.  The employee promptly notified the major airline on which he had flown and remained in contact with the airline in an effort to recover the laptop.  The laptop has not yet been recovered.  

2. What information was on the laptop?

The laptop contained employees’ personal information, including names, dates of birth, Social Security numbers, home addresses and personal telephone numbers.  Fortunately, the laptop did not include any credit or debit card numbers.

3. Was the information on the laptop protected?

The laptop was protected by a strong password.  

4. Is my personal information at risk of being misused?

There is currently no reason to believe that your personal information has been misused.  

5. Why do think my personal information is not at risk of being misused?

There are several reasons:

• The laptop was protected by a strong password.
• Nothing about the laptop would alert an observer that it contained personal information.
• Software that permits remote monitoring of the laptop indicated that the laptop had not been recently powered up or otherwise accessed.  To date, the Company has received no information suggesting that any unauthorized person obtained the laptop or was able to access the data.
• We also have received no reports to date indicating that any personal information stored on the laptop has been misused.  

6. What is the earliest date at which suspicious activity might have occurred due to this incident?

The earliest date on which any suspicious activity could have occurred is June 17, 2015.

7. Why did you wait until now to inform us?  

Although the human resources employee informed us on June 17th about the loss of the laptop, the employee did not realize until several weeks later that personal information was stored on the laptop.  As soon as we received that information, we worked diligently to determine the full scope of the personal information stored on the laptop.  We then moved quickly to contract for identity protection services for you, to prepare and mail a notice to all affected individuals, and to establish administrative support for your questions,

8. What is the Company doing about the situation?

Although we have no information to suggest that the personal information on the laptop has been misused or even accessed, out of an abundance of caution, the Company is providing two years of identity protection services to all affected individuals.

9. Has the Company fired the responsible employee?

The Company does not comment on personnel decisions involving other employees.

10. What is the total number of employees affected by this incident?

Approximately 4,000 current and former employees were affected.

11. What is the Company doing to ensure that this does not happen again?

We can assure you that the Company is taking this incident seriously, and we are enhancing the Company’s information security to prevent a recurrence.  For example, the Company is strengthening its protections for all data, in particular data stored on mobile devices to reduce the risk of loss from those devices.  We are also implementing more robust incident response procedures

12. Have you contacted law enforcement?

Yes, we have contacted law enforcement and will cooperate fully with any police investigation.

13. How could this happen?

Please know that we deeply regret this security incident.  We are dedicated to the security of our employee’s information and to preventing something like this from happening again.

14. What should I do if I am contacted by the news media about this?

Follow the Company’s standard media policy regarding statements to the media.  Please refer any inquiries from the news media for comments on the Company’s behalf to Roop and Company.  Do not respond to any questions for the Company.  Simply say: “Roop will try to provide you with answers to your questions.” Roop’s contact information is:  phone number: 216.902.3800, email:  media@roopco.com

Questions About Services the Company Has Arranged

15. What is credit monitoring?

Monitoring your credit reports regularly is your first line of defense.  Credit monitoring is a very effective tool for becoming aware of fraudulent activity.  Every week, you’ll be informed of changes to your credit report, alerting you to activities such as:

• New inquiries
• New accounts opened in your name
• Late payments
• Improvements in your report
• Bankruptcies and other public records
• New addresses

16. What type of credit monitoring service is the Company offering?

The Company is providing you with two years of free credit monitoring through Experian.  This product is known as ProtectMyID® Elite. 

17. What are the benefits of credit monitoring through ProtectMyID Elite?

Early detection is the key to identifying fraud and preventing the damage it can cause.  Monitoring alerts make you aware of changes in your credit file that could indicate the kind of unauthorized activity commonly associated with identity theft and fraud.

ProtectMyID Elite monitors credit reports of individuals with established credit.  The benefits include the following: 

(a) Monitoring the Experian credit file every day and email alerts of key changes indicating possible fraudulent activity sent within 24 hours;

(b) Monthly “No Hit” alerts, if applicable;

(c) Identity theft insurance; and

(d) Fraud resolution services in which a ProtectMyID agent walks you through resolving identity theft.

18. Does ProtectMyID Elite monitor all three credit bureaus?

No, ProtectMyIDElite monitors only the Experian credit file, not the credit files of Transunion or Equifax.  However, Experian has the largest credit file of the three national credit bureaus.

19. How do I activate the credit monitoring service?

Please visit www.protectmyid.com/protect and enter the activation code provided in your notification letter.  You will be instructed on how to initiate your online membership.  If you have any difficulty accessing this product on-line, please call Experian at (866) 751-1324 for assistance.

20. Is there a deadline to enroll in ProtectMyID Elite?

Yes. Individuals should promptly decide whether they wish to enroll.  The deadline for enrolling is October 31, 2015.

21. What should I do if I receive a credit monitoring report?

If there are no changes to your credit report during a particular month, you will receive an “all clear” report for that month.  In that case, there is nothing for you to do.

If you receive a report other than an “all clear” report, the report will reflect certain credit activity in your name that’s commonly associated with identity theft, such as applying for a new credit card or loan, a change of address, etc.  If the transaction isn’t one you initiated, simply call ProtectMyID toll free and Experian will immediately put you in touch with a fraud resolution agent to find out what’s happening and work to correct the problem.

22. I haven’t noticed any suspicious activity, but what can I do to protect myself and prevent being victimized by identity theft?

While we have no reason to believe that the laptop has ended up in the hands of an unauthorized person, you still may want to take steps to help protect yourself.  In addition to enrolling in Experian’s ProtectMyID service, consider taking the following measures:

• Review your credit reports.  You can receive free credit reports by placing a fraud alert.  Under federal law, you also are entitled every 12 months to one free copy of your credit report from each of the three national credit bureaus.  To obtain a free annual credit report, go to www.annualcreditreport.com or call (877) 322-8228.  You may wish to stagger your requests so that you receive a free report from one of the three credit bureaus every four months.  
• Review your account statements.  You should carefully review for suspicious activity the statements that you receive from credit card companies, banks, utilities and other service providers.  
• Respond to suspicious activity.  If you receive an e-mail or mail alert from Experian, contact an Experian fraud resolution representative at (866) 751-1324.  If you notice suspicious activity on an account statement, report it to your credit card company or service provider and consider closing the account.  You also should consider reporting such activity to your local police department, your state’s attorney general, and the Federal Trade Commission.  Importantly, Experian will not contact you by telephone.  If you receive a telephone call from someone claiming to be from Experian, please contact an Experian representative immediately at (866) 751-1324.
• Consider placing a fraud alert with one of the three national credit bureaus.  You can place an initial fraud alert by contacting one of the three national credit bureaus listed below.  For 90 days, an initial fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts.  For that reason, placing a fraud alert can protect you but also may delay you when you seek to obtain credit.  The contact information for all three bureaus is as follows:

23. What should I do if I detect suspicious or unusual activity?

Your first point of reference should be to the written materials received in the Notice Letter.  Alternately, you should call Experian at (866) 751-1324.

Questions About Identity Theft

24. What is identity theft?

According to the United States Department of Justice, the terms identity theft and identity fraud “refer to all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain.”  

25. Am I at risk of identity theft?

We do not know if anyone has accessed the information on the laptop.  However, we cannot eliminate the possibility that someone might access the information and attempt to misuse it.  Consequently, the Company sent you a notice about the incident to make you aware of the situation and to permit you to take advantage of the ProtectMyID service that the Company has arranged.  You should consider activating ProtectMyID to reduce the risk that you will be victimized by identify theft and to protect yourself if identity theft does occur.

26. Do I need to cancel my credit cards and change bank/checking accounts?

As far as we are able to determine, your credit card and financial account information are not at risk.  However, you should still check your credit reports, credit card statements, and financial account statements for suspicious activity.  If you do observe any suspicious activity, you should contact Experian at (866) 751-1324 for assistance.

27. Has anyone been victimized by identity theft because of this incident?

To date, we are not aware that anyone has been victimized by identity theft because of this security incident.

28. What do I do if I learn that my identity has been misused?

Contact Experian, explain the situation, and tell them you would like to use their ProtectMyID services.

Contact [insert name and title] at the Company so that we can keep abreast of the risk.  The contact information for [insert name and title] is [contact information].

File a police report with your local police or the police in the community where the identity theft took place.  Get a copy of the report or at the very least, the number of the report to submit to creditors and others who may require documentation of the crime.

File a complaint with the Federal Trade Commission.  The FTC maintains a database of identity theft complaints which can be accessed by law enforcement agencies for investigations.  You can report identity theft at www.ftc.gov/idtheft or by calling the following toll-free number: (877) ID-THEFT (438-4338).

For more information on recovering from identity theft and help with specific problems, read “Take Charge: Fighting Back Against Identity Theft,” a publication from the FTC.  It’s available online at www.ftc.gov/idtheft (specific link is: https://www.consumer.ftc.gov/articles/pdf-0009-taking-charge.pdf) or you can call (877) ID-THEFT to order a free copy.

If you observe suspicious activity, contact your creditors immediately.  Ask to speak to someone in the security or fraud department, and follow-up in writing.  If you discover a changed billing address on an existing card, close the account immediately.  When you open a new account, ask that a password be used before any inquires or changes can be made on the account.  When selecting a password or personal identification number avoid using easily available information or any of the information related to your name or Social Security number.

29. Where can I find more information about data security and identity theft?

The resources below provide information about data security, privacy protection and identity theft:

• Your state attorney general
• Federal Trade Commission ID Theft Information
• Identity Theft Resource Center
• The Privacy Rights Clearinghouse

Questions About Free Credit Reports

30. How do I request a copy of my credit report?

You can request a copy of your credit report yourself once a year from each of the three main credit bureaus through the Annual Credit Report Request Service by calling (877) 322-8228 or by visiting www.annualcreditreport.com.  Many people choose to stagger their requests so that they receive a copy from one of the agencies every four months.

31. Do I have to pay for the credit report?

No.  You can order your credit reports from all three credit bureaus for free once a year.

32. What should I look for in my credit report?

When reviewing your credit reports, be on the lookout for suspicious activity including:

• Inquiries from companies you haven't contacted or done business with;
• Purchases or charges on your accounts you didn't make;
• New accounts you didn't open or changes to existing accounts you didn't make; and
• Address where you never lived in the “Personal Information” section.

33. What are other signs that I might be a victim of ID theft?

• Bills that do not arrive as expected;
• Unexpected credit cards or account statements;
• Calls or letters about purchases you did not make; and
• Denials of credit for no apparent reason.

34. How often should I order new credit reports and how long should I go on ordering them?

It might be a good idea to order copies of your credit reports every three or four months for a while.  How long you continue to order them is up to you.  Identity thieves usually, but not always, act soon after stealing personal information.  Thereafter, consider checking your credit reports at least twice a year as a general privacy protection measure.

Questions About Fraud Alerts

35. What is a fraud alert?

A fraud alert tells creditors to contact you before opening any new accounts or changing your existing accounts.  Once you notify one of the three national credit bureaus of your fraud alert, the others will be notified to place a fraud alert as well.  All three credit bureaus also will send you one credit report, free of charge.

36. Can I place a fraud alert on my credit report?

Yes.  You can contact any of the three national credit bureaus at the following telephone numbers or URLs:

Equifax:         (888) 766-0008; www.equifax.com

Experian:         (888) 397-3742; www.experian.com

TransUnion:         (800) 680-7289; www.transunion.com

If you call just one of the bureaus, they will notify the other two.  A fraud alert will be placed on your file with all three, and you will receive a confirming letter from all three.

37. Are there drawbacks to placing a fraud alert?

A potential drawback to activating a fraud alert would occur should you attempt to open a new account.  You would need to be available at either your work phone number or home phone number in order to approve opening the new credit account.  If you are not available at either of those numbers, the creditor may not open the account.  In addition, it may take longer to obtain credit and in some cases merchants may be hesitant to open a new account.

Fraud alerts will not necessarily prevent someone else from opening an account in your name.  A creditor is not required by law to contact you if you have a fraud alert in place.  If you suspect that you are or have already been a victim of identity theft, fraud alerts are only a small part of protecting your credit.  You also need to pay close attention to your credit report to make sure that the only credit inquiries or new credit accounts in your file are yours.

38. Does placing a fraud alert on my account damage my credit?

No, placing a fraud alert does not damage your credit.

39. Will a fraud alert stop me from using my credit cards or obtaining new credit?

No, it will not stop you from using your credit cards.  However, it may slow the process of obtaining new credit.  Since the purpose of the fraud alert is to protect you from allowing someone else to open credit in your name, creditors will need to re-verify the identity of the person applying for credit.

40. How long does a fraud alert last?

An initial fraud alert lasts 90 days.  You can remove an alert by calling the credit bureaus at the phone number given on your credit report.  If you want to reinstate the alert, you can do so.

41. Can I extend a fraud alert placed on my credit file?

You may extend a free 90-day fraud alert by reinstating the alert when it expires.  There is no limit to the number of times a free alert can be placed on your account, but the responsibility for reinstating the alert rests with you.

42. I called the credit bureau fraud line and they asked for my Social Security number.  Is it okay to give it?

The credit bureaus ask for your Social Security number and other information to identify you and avoid sending your credit report to the wrong person.  It is okay to give this information to the credit bureau when you call them.

Questions About A Security Freeze

43. What is a security freeze and how do I place one on my credit file?

A security freeze means that your credit file cannot be shared with potential creditors or other persons considering opening new accounts unless you decide to unlock your file by contacting a credit reporting agency and providing a PIN or password.  Most businesses will not open credit accounts without first checking a consumer’s credit history.  If your credit files are frozen, even someone who has your name and Social Security number would not likely be able to get credit in your name.

44. Do you recommend that I place a security freeze?

The security freeze (or credit freeze) is an option generally best reserved for people who have experienced extreme ID theft.  Because the freeze essentially locks down your credit, it can be inconvenient for people who are simply seeking extra protection for their credit.

45. I currently have a security freeze/lock on all my credit reports.  Can I still do credit monitoring?

Yes, most states with credit freeze legislation provide an exemption so that credit monitoring can occur.  If you reside in one of these states, there may be an extra “verification” step for you to complete during monitoring activation, but the monitoring should still be activated.  Because credit freeze laws are being written into law constantly nationwide, we are not able to let you know what your state’s specific exemptions are.  We recommend researching the issue on the credit bureaus’ websites or on sites explaining your state’s freeze legislation.  If you have the time, it might be worth it just to try the monitoring and see if it goes through.  To learn more, contact your State Attorney General’s office or visit the Federal Trade Commission’s website at www.ftc.gov/idtheft and click on the link for credit freeze information.

Other Questions

46. Should I contact the Social Security Administration and change my Social Security number?

The Social Security Administration very rarely changes a person’s Social Security number.  The mere possibility of fraudulent use of your Social Security number would probably not be viewed as a justification.  There are drawbacks to changing your Social Security number.  The absence of any history under the new Social Security number would make it difficult for you to get credit, continue college, rent an apartment, open a bank account, get health insurance, etc.  In most cases, getting a new Social Security number would not be a good idea.