Data Disclosure: Frequently Asked Questions
If you have been notified that your personal information was inadvertently disclosed, or have reason to believe you may be affected, please review the following Frequently Asked Questions.
What happened?
On April 24, 2007, Stony Brook University became aware that files containing personal information were potentially visible on a Health Sciences Center library web site. Upon discovery, the University took immediate action to remove this information from the web server. At this point, we have no reason to believe that the information has been misused or that it has been accessed by an individual intending to misuse the data.
What kind of information was visible?
A follow-up investigation by IT staff and Internal Audit revealed that those files included names, Social Security numbers and University ID numbers of faculty, staff, students, alumni, and other members of the University community. The University is notifying all of the 89,853 people in the database of the incident.
How did it happen?
On April 11, 2007 the Health Sciences Center library’s web site was reconfigured and the files were inadvertently copied to a publicly accessible area. As soon as the error was reported to the University, we contacted the New York State Cyber Security Office, which in turn contacted Google on the University’s behalf and expedited the removal of the information from the search engine within 24 hours. The files were never easily accessible through Google and information could be only retrieved through the use of multiple criteria. Logs confirm that that information was not accessed from 2002 until April 10, 2007, when it resided in a directory of files located on the web server.
The accessibility of this information, while very limited, should not have happened. At this time, University investigators believe that the error was unintentional and not the result of wrongdoing. In addition, the University is continuing its investigation into the facts and circumstances leading to this incident and is taking steps to make sure this does not happen again.
Why is the University alerting us now about this incident?
Stony Brook University takes the security of personal information very seriously and deeply regrets that this incident occurred. New York State law and University security practices require such an alert. Therefore, we are proactively contacting each person whose information may have been on the web page to notify them of this incident and to offer important tips on how to monitor their credit. We are also making this information public.
What steps have been taken to protect my Social Security Number?
We are reviewing the use of Social Security numbers and other personal information in all areas of the campus and taking steps to minimize the use of this information. These steps include reviewing the access roles of all users within the software system, assessing all data inquiries, and reviewing all pertinent data feeds.
If I did not receive a letter, but want to make sure I am not one of those whose personal information was disclosed, what should I do?
Individuals who did not receive a letter but want to make sure their personal information was not disclosed should e-mail the University at disclosure@notes.cc.sunysb.edu and provide only their name. We will check the name against the database and provide you with an answer.
Why didn’t the University notify the affected individuals immediately through e-mail?
New York State law mandates that official notification for these types of issues to affected individuals must be issued via written notice unless individuals have expressly consented to receiving notice in an electronic form.
Are there any confirmed reports of fraud related to this disclosure?
No. There are no confirmed reports of fraud. We assure you we are monitoring this situation very closely.
What if my name is on the list?
Individuals whose names are on the list will be contacted by their last-known address. We are also providing additional information below that will explain ways to monitor your personal and financial information and to set up a free credit alert. If you have concerns that your name may be on the list, please contact our call center, which can be dialed at 1-866-645-5830 and will be open 9:00 AM to 9:00 PM, Monday through Friday, until July 15, 2007. Updated information may be obtained by visiting www.stonybrook.edu/disclosure.
What are the actions I should take to protect my information?
It is important to remember that we have no evidence that this data has been misused or was accessed by anyone with the intent to misuse it in any way. However, you may wish to contact the three credit reporting agencies to place a free fraud alert on your credit files. Please note: Enrolling for fraud alert will require you to submit some personal information directly to the credit reporting agencies.
How do I place a fraud alert?
You may want to take the precaution of placing a free fraud alert on your credit files held by the three national credit reporting agencies. The law allows you to place an initial fraud alert on your credit file free of charge for an initial period of 90 days. This notification alerts creditors to use additional steps to verify your identity prior to granting credit in your name.
To place a fraud alert on your credit file, please contact the toll-free number of any one of the three major credit reporting companies. They can be reached at:
Equifax:
1-800-525-6285Experian:
1-888-EXPERIAN (397-3742)TransUnion:
1-800-680-7289
How does fraud alert work?
A fraud alert is an alert that the three major credit reporting companies attach to your credit file. When you, or someone else, attempt to open a credit account the lender should contact you by phone to verify that you want to open the new account. If you cannot be reached by phone, the credit account should not be opened. However, a creditor is not required by law to contact you if you have fraud alert in place. Fraud alerts can legally be ignored by creditors.
After you place a fraud alert, it will become active with all three major credit reporting companies within 24 hours. The three credit reporting companies work together so that when you request an alert through one of the agencies, your alert request is sent to the other two agencies automatically. All three agencies will also remove your name from all pre-approved credit card and insurance offer lists for two years.
Each of the credit reporting companies will send you a current copy of your credit report by mail. The reports should arrive in one to two weeks. Once you get your reports, review them for suspicious activity, including inquiries from companies you didn't contact, accounts you didn't open, or debts on your accounts that you can't explain. Check that personal information — like your Social Security number, address(es), name or initials, and employers — is correct.
Are there drawbacks to placing a fraud alert?
A potential drawback to activating a fraud alert would occur should you attempt to open a new account. You would need to be available at either your work phone number or home phone number in order to approve opening the new credit account. If you are not available at either of those numbers, the creditor may not open the account. In addition, it may take longer to obtain credit and in some cases merchants may be hesitant to open a new account.
Fraud alerts will not necessarily prevent someone else from opening an account in your name. A creditor is not required by law to contact you if you have a fraud alert in place. Fraud alerts can legally be ignored by creditors. If you suspect that you are or have already been a victim of identity theft, fraud alerts are only a small part of protecting your credit. You also need to pay close attention to your credit report to make sure that the only credit inquiries or new credit accounts in your file are yours.
Does placing a fraud alert on my account damage my credit?
No, placing a fraud alert does not damage your credit. However, a potential drawback to activating a fraud alert would occur should you attempt to open a new account. You would need to be available at either your work phone number or home phone number in order to approve opening the new credit account. If you are not available at either of those numbers, the creditor may not open the account. In addition, it may take longer to obtain credit and in some cases merchants may be hesitant to open a new account.
I already have fraud alerts on my records. Can I place them again?
Fraud alerts last 90 days, and the system will let you know that alerts are already in place if you try to place them again before they expire. You will not be notified when fraud alerts expire, so note the date when you place them. You can place them every 90 days for as long as you wish.
Why can't Stony Brook University do the fraud alert with the credit agencies for us?
Under the credit agencies' policies, each individual must initiate the action. This is a protection for all individuals on whom the credit agencies maintain records. The University is not authorized to initiate this action regarding your credit, nor can it determine irregularities in your credit history.
How long should fraud alerts stay in place at the various credit repositories?
An initial fraud alert lasts 90 days. You can remove an alert by calling the credit bureaus at the phone number given on your credit report. If you want to reinstate the alert, you can do so after 90 days.
Why can’t I talk to someone “live" to put a fraud alert on my file? Should I be concerned about giving them my Social Security number?
All three major credit reporting agencies use an automated phone system for setting up the fraud alert and are not generally set up to take down fraud alert requests "live." Credit agencies will need to verify identity which may require use of SSN and other similar information.
If you prefer to mail your request to the credit bureaus, the addresses are below.
TransUnion
Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92834Equifax Credit Information Services
Consumer Fraud Division
P.O. Box 740256
Atlanta, GA 30374Experian
Experian’s National Consumer Assistance
P.O. Box 2002
Allen, TX 75013
What should I do to monitor my credit?
Once you have taken the precautions of placing a fraud alert and requesting a credit report, watch for signs that your information is possibly being misused. For example, call the customer service lines of your bank accounts and credit cards to review your current charges.
Other signs include:
Continue to read your financial account statements promptly and carefully. Also, monitor your credit reports every few months in the first year, and once a year thereafter. For additional steps you can take, please visit: www.consumer.state.ny.us/security_freeze.htm.
What do I do if my credit accounts have been tampered with or if new accounts have been fraudulently opened?
If you observe suspicious activity, contact your creditors immediately. Ask to speak to someone in the security or fraud department, and follow-up in writing. If you discover a changed billing address on an existing card, close the account immediately. When you open a new account, ask that a password be used before any inquires or changes can be made on the account. When selecting a password or personal identification number avoid using easily available information or any of the information related to your name or Social Security number.
Also, file a report about your identity theft with the police, and file a complaint with the Federal Trade Commission at www.ftc.gov/bcp/edu/microsites/idtheft/. Read Take Charge: Fighting Back Against Identity Theft for detailed information on other steps to take in the wake of identity theft.
Where can I find the most up to date information on this incident?
Any important new information will be posted online at www.stonybrook.edu/disclosure. For additional questions, please send an e-mail to disclosure@notes.cc.sunysb.edu.
