For most people, the realisation of a data breach is not when it happens but when they get a letter about it.
The letter is usually written formally, has a lot of legal language in it, and may contain a lot of terms that most people have never heard of before ("unauthorised access", "possible exposure", "investigation is ongoing"). However, the underlying meaning of all of this legal jargon is very simple: your private information may no longer be safe.
Once you receive this letter from the company/organisation whose network was breached, this is when your uncertainty over what happened starts to build. You have a lot of questions to answer: What was disclosed to others? What do I need to do next? How serious is this?
As breach notification letters become more normal in our lives today, the amount of questions regarding them has dramatically increased. A recent example of the increase in individuals receiving notification of a data breach was the Hightower Holding, LLC - Data Breach. Sensitive personal information from a user account was compromised, resulting in individuals receiving letters several weeks and/or months after the data breach had occurred. This highlights an important reality surrounding breaches: breaches are usually identified long after they actually happen.
But the letter itself is just the starting point.
What Was Exposed and How It Impacts a Breach
Breach notifications often contain a list of data that might have been exposed due to the breach. The data often contains items such as Name, Social Security Number, address, Driver's License Number. The nature of a breach may seem straightforward; however, many of the implications may not be readily apparent.
There are different risk profiles for the various types of data. For example, the mere presence of a name may have somewhat limited impact, but when that name is combined with Government issued identifiers, it creates an additional risk, and significantly increases the risk of the identity being stolen and/or misuse of that identity through Identity Theft, Fraudulent Application, or Unauthorized Activities.
Timing of a Breach Matters
The length of time during which the breach occurred represents a significant consideration regarding the overall risk associated with the specific breach. The majority of the time, the data that was accessed in a breach may have been accessible, electronically copied and/or distributed for weeks if not months before the breach would have been detected.
Once the breach has been detected, that data may have already circulated to various locations that are difficult to track or control. The timing of the breach detection is usually not unusual considering organizations investigating breaches will require an extended period of time in order to determine the exact location of the compromised data and individuals impacted by the breach.
Based on the breach notification you received, here are the next steps you should take to protect yourself:
While a breach notification does not necessarily mean someone has compromised your identity, it does indicate an increase in your risk for such an event.
There are some fundamental actions you can take to help mitigate this risk:
o Monitoring your bank accounts and credit reports.
o Consider placing fraud alerts and/or freezing your credit if you feel it's necessary.
o Be aware of phishing emails or unexpected phone calls.
o Update your passwords, especially if you share the same passwords across different accounts.
You need to take these steps in preparation for the event of identity theft occurring in the future; they are not a cure to the identity theft that may have occurred in the past.
Once someone has gained access to your personal data, it raises many questions about companies’ accountability for this data. Companies that collect and/or store your personal information have an obligation to protect it. Failure by the companies to protect your personal information can entitle you to certain legal remedies, depending on the specific facts surrounding the breach.
This is why many breach notifications go on to state that they are conducting investigations and/or legal proceedings. In addition to the need to secure your accounts, it is just as important for individuals affected by data breaches to understand their options once the breach notification has been received.
We continue to see data breach letters becoming a part of everyone's daily lives. These data breaches have become so common place that we now all expect that our personal information will continue to be stored, shared and retained in ever-increasing amounts as we interact online every day.
There is one other major shift associated with the growth in data breaches; the way individuals respond to them has changed dramatically. Awareness, caution and quick response have become essential tools for managing a person's risk of having their digital information misused.
Ultimately, the proactive response to a data breach notification represents much more than just receiving a letter to inform you of the breach. It is an indication that a breach occurred. Your response to this indication can have a significant positive or negative impact on your risk of having your data misused.
