Data breaches have become all-too-common amongst retailers, businesses, educational institutions and health care facilities. Last year, 1,093 data breaches led to over 36 million compromised records in the United States, leaving millions of Americans’ personal information exposed.
The best way you can protect your information from compromise is by taking proactive measures to safeguard it, especially after a data breach. Follow us as we break down what can happen to your information after a data breach, what the law says about notifying you of breached data and how to secure information that has already been compromised.
Why are data breaches so catastrophic?
The severity of a data breach relies heavily on three elements: type of information exposed, number of records compromised and number of individuals left vulnerable. Potentially compromised information can include personally identifiable information (PII) like your name, address and Social Security number, medical records, login credentials and financial account numbers. Whether your information finds itself on the online black market, is used to make unauthorized purchases or to create new financial accounts, data breaches allow criminals access to large pools of highly sensitive data to use however they’d like.
If a data breach compromises low-risk information like phone numbers or email addresses, your identity is probably still safe. However, criminals can use that information to target you in phishing emails and scam calls, hoping to obtain more sensitive information.
If more sensitive information like your Social Security number, passwords or birth date are exposed in a breach, you may face more serious threats like fraud and identity theft. Unfortunately, there’s no way to know for sure what will come of your compromised information immediately after a breach.
What does the law say about data breach notifications?
As of March 2017, nearly every state and U.S. territory has data breach notification laws put into place. Data breach notification laws regulate how companies notify their customers of data breaches involving the exposure of personal information. Because these laws are governed on a state level, they can sometimes be confusing — and even contradictory.
Breach Notification Statutes Vary State-to-State
Breach notification laws assess what is deemed “personal information,” how notifications are sent to customers and time frames for notification. These specific elements can vary state-to-state.
Each state defines what it considers to be “personal information” to determine if a breach notification is necessary. Most states consider personal information to be an individual’s name paired with either a Social Security, driver’s license, or state identification card number or financial information. Some states, like Nebraska and Wisconsin, consider voiceprints and DNA fingerprints to be personal information. Other states include record-based documents like tax and health insurance data.
Notification triggers can be a particularly grey area for breach notification laws. Most states play it safe and notify customers when personal information “was or is reasonably believed to have been” compromised. But, some states allow companies to first determine the risk of the exposed information before notifying impacted individuals. Other states have no specified method of determining exposure risk, but an investigation is usually opened immediately regardless of individual state statutes.
Time Limits and Delays
Delays in notification are necessary when companies are working with law enforcement to investigate a data breach. With a few exceptions, laws do not require companies to notify customers within a specified time frame. Most states merely indicate that companies must send out notifications “in the most expedient time” or “without unreasonable delay.”
Data breaches will continue to rise in 2017
Today’s technology-first atmosphere has given us so many ways to send, receive and share information about ourselves and others. Between smartphone apps, social media sites, online shopping profiles and service web portals, hackers take advantage of the digital world we live in where information exchange is constant, normal, and in many scenarios, deemed necessary.
“The rise of information available via data breaches is particularly troublesome for the industry and a boon for fraudsters.”
– Al Pascual, Javelin Strategy & Research senior vice president, research director and
head of fraud & security
According to a study conducted by digital security firm Gemalto, 2016 saw a small decrease in the total number of data breaches worldwide, but an 86 percent jump in the number of records compromised. On a national scale, data breaches have increased in the U.S. nearly 40 percent since 2015.
In 2016, 52 percent of all data breaches in the U.S. exposed Social Security numbers, and 13.1 percent exposed credit and debit card numbers. Additionally, the IRS discovered a 400 percent surge in phishing emails, aligning with the 55.5 percent of U.S. data breaches caused by phishing attacks last year.
In short, criminals are changing their focus to organizations with large pools of highly sensitive data, and the surge in phishing emails suggests they’ve found an efficient method of obtaining it.
What should you do?
If you’ve fallen victim to a data breach, use these tips to help secure and avoid further misuse of your compromised information:
- Passwords: Change passwords immediately and consider using a password generator to create strong, unique passwords. Avoid password reuse so that criminals can’t gain access to more than one of your accounts with the same credentials.
- Email/Phone Number: Be aware that you may be targeted in phishing emails or scam calls in an attempt to steal more sensitive information. Avoid falling for these scams by contacting the breached organization directly with questions about the event; be weary if you receive emails and phone calls about the incident.
- Credit/Debit Cards: If fraudulent transactions occur following a data breach, you’re typically not liable for these charges. Check with your bank or card provider for your specific card’s liability policies, and request new cards immediately following a breach.
- Social Security Number: Contact one of the three major credit bureaus to place a fraud alert on your account. Be on the lookout for signs of identity theft, such as new financial accounts or lines of credit opened under your name. You may also issue a credit freeze so new credit cannot be opened in your name without your consent.
Keep following Fighting Identity Crimes to stay up-to-date on the latest breach and scam news, as well as learn more about protecting your identity with tips from our industry experts.
The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.