by John Burcham
May 24, 2017
by John Burcham
May 24, 2017
Data breaches have become all-too-common amongst retailers, businesses, educational institutions and health care facilities. Last year, 1,093 data breaches led to more than 36 million compromised records in the United States, leaving millions of Americans’ personal information exposed.
The best way you can protect your information from compromise is by taking proactive measures to safeguard it, especially after a data breach. Follow us as we break down what can happen to your information after a data breach, what the law says about notifying you of breached data and how to secure information that has already been compromised.
Why are data breaches so catastrophic?
The severity of a data breach relies heavily on three elements: type of information exposed, number of records compromised and number of individuals left vulnerable. Potentially compromised information can include personally identifiable information (PII) like your name, address and Social Security number, medical records, login credentials and financial account numbers. Whether your information finds itself on the online black market, is used to make unauthorized purchases or to create new financial accounts, data breaches allow criminals access to large pools of highly sensitive data to use however they’d like.
If a data breach compromises low-risk information like phone numbers or email addresses, your identity is probably still safe. However, criminals can use that information to target you in phishing emails and scam calls, hoping to obtain more sensitive information.
If more sensitive information like your Social Security number, passwords or birth date are exposed in a breach, you may face more serious threats like fraud and identity theft. Unfortunately, there’s no way to know for sure what will come of your compromised information immediately after a breach.
What does the law say about data breach notifications?
As of March 2017, nearly every state and U.S. territory has data breach notification laws put into place. Data breach notification laws regulate how companies notify their customers of data breaches involving the exposure of personal information. Because these laws are governed on a state level, they can sometimes be confusing — and even contradictory.
Breach Notification Statutes Vary State-to-State
Breach notification laws assess what is deemed “personal information,” how notifications are sent to customers and time frames for notification. These specific elements can vary state-to-state.
Personal Information
Each state defines what it considers to be “personal information” to determine if a breach notification is necessary. Most states consider personal information to be an individual’s name paired with either a Social Security, driver’s license, or state identification card number or financial information. Some states, like Nebraska and Wisconsin, consider voiceprints and DNA fingerprints to be personal information. Other states include record-based documents like tax and health insurance data.
Notification Triggers
Notification triggers can be a particularly grey area for breach notification laws. Most states play it safe and notify customers when personal information “was or is reasonably believed to have been” compromised. But, some states allow companies to first determine the risk of the exposed information before notifying impacted individuals. Other states have no specified method of determining exposure risk, but an investigation is usually opened immediately regardless of individual state statues.
Time Limits and Delays
Delays in notification are necessary when companies are working with law enforcement to investigate a data breach. With a few exceptions, laws do not require companies to notify customers within a specified time frame. Most states merely indicate that companies must send out notifications “in the most expedient time” or “without unreasonable delay.”
Data breaches will continue to rise in 2017
Today’s technology-first atmosphere has given us so many ways to send, receive and share information about ourselves and others. Between smartphone apps, social media sites, online shopping profiles and service web portals, hackers take advantage of the digital world we live in where information exchange is constant, normal, and in many scenarios, deemed necessary.
According to a study conducted by digital security firm Gemalto, 2016 saw a small decrease in the total number of data breaches worldwide, but an 86 percent jump in the number of records compromised. On a national scale, data breaches have increased in the U.S. nearly 40 percent since 2015.
In 2016, 52 percent of all data breaches in the U.S. exposed Social Security numbers, and 13.1 percent exposed credit and debit card numbers. Additionally, the IRS discovered a 400 percent surge in phishing emails, aligning with the 55.5 percent of U.S. data breaches caused by phishing attacks last year.
In short, criminals are changing their focus to organizations with large pools of highly sensitive data, and the surge in phishing emails suggests they’ve found an efficient method of obtaining it.
What should you do?
If you’ve fallen victim to a data breach, use these tips to help secure and avoid further misuse of your compromised information:
This article originally appeared in Fighting Identity Crimes.
This article was written by John Burcham from Business2Community and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.