What To Do When You Receive A Data Breach Letter

A couple weeks ago I received three letters from three different companies within three business days of one another. Every letter said the same thing, “We’re writing to inform you of a cybersecurity incident.” Technically there were six letters, but three were addressed to my children because their data was compromised, as well.

These data breaches – events where an entity gains unauthorized access to confidential information – occur at healthcare providers, 401(k) administrators, online retailers, 529 plan administrators, and more. Name most any organization with a digital presence and it’s more than like they’ve been the victim of a cyberattack.

Data breaches have become unfortunately common as our reliance on digital technology and the internet has grown along with the amount of personal and sensitive data being stored online. Approximately 83% of data breaches were financial-related, and there are over 30,000 websites attacked every day. Further, about 44% of all attacks include the personally identifiable information (PII) of customers, according to IBM
IBM
.

But what can you do? Cyberattacks are so common and the notices so frequent that many Americans just shrug their shoulders. However, there are actions you can take both proactive and reactive to avoid – or at least mitigate – the risk to you, your family, and your business.

How To Prevent A Data Breach

Sometimes the cause of a data breach is beyond our control: A company we use falls victim to a phishing attack or malware. Sometimes, as above, a single software provider can have a cascading effect on all the firms it services and supports. However, there are some additional steps Americans can take to help prevent data breaches.

• Protect Login Information – Use strong, unique passwords using random characters, letter, numbers, and symbols. If possible, enable two-factor authentication, as well.
• (Digital) Paranoia Is Your Friend – Educate yourself about phishing attacks, the even more dangerous “spearphishing,” suspicious email, and avoid downloading anything you did not initiate, recognize, or otherwise source from a trusted partner.
• Take Local Data Protection Measures – In additional to internet security, there are measures you can take at home. Regularly back up important data to a secure location, be it cloud-based or on your own local media. Secure your Wi-Fi network, and limit the number of people and devices with access.
• Update Software & Hardware – Regularly and automatically update all software. Additionally, not only does software need updating, but firmware, as well. Most electronic devices, especially those that connect to your network and/or the internet, have some form of firmware. Your router and PC hardware are the most obvious and important, but don’t forget smart devices. For example, many home theater receivers and printers need to be updated, as well.
• Family And Employee Education – The best protection against cybersecurity threats are educated, vigilant stakeholders. Most employers have some form of cybersecurity policy, but what about your family? Children are often the weakest link in your online defenses, so be sure to educate everyone that touches your digital interests.

How To Respond To A Data Breach

If you received a notification about a data breach the best way to respond depends on the type of event and severity.

• Determine The Nature Of The Breach – Carefully read the data breach notification you received. Look especially at what information was compromised, how the breach occurred, and the potential risks to your personal data. Some businesses, like healthcare and finance, represent a greater risk to you.
• Implement Prevention Measures – It may seem counterintuitive, but many of the “preventions” previously discussed also apply after a breach. You may need to change your passwords, enable two-factor authentication, review your accounts, and update your software and/or hardware, among the other recommendations.
• Contact The Organization – The organization that sent the breach notification letter may have additional information available. Look for contact information if you do not understand or need clarification around the breach. It’s your data, and you have a right to understand what happened and how you were impacted. Most importantly, the organization may also provide identity theft protection, credit monitoring, and/or other services to you for free as a result of the data breach. If these services are not explicitly offered in the notification, be sure to ask!
• Check Your Credit Report – Request and review your credit reports from the major credit bureaus. You have the right to request one free copy each year from each of the three major consumer reporting companies (Equifax
  EFX
  , Experian and TransUnion) by visiting annualcreditreport.com. Look for any unfamiliar accounts or activity that could indicate identity theft.
• Consider Additional Measures – Depending on the extent of the breach and the sensitivity of the compromised information, you might want to take additional precautions:

1. Fraud Alerts and/or Credit Freezes – Consider placing a fraud alert or credit freeze on your credit reports to prevent unauthorized access. It is free to place a freeze on your credit report by establishing an account with each of the respective agencies and requesting the service. You will need to lift the freeze to let lenders and other companies access your credit files again, such as when you need a mortgage or a loan.
2. Identity Theft Protection Services – If not offered as a result of the breach itself, you can enroll on your own with an independent company. There are many organizations that offer identity theft prevention services such as Aura and LifeLock. These services are also sometimes offered as an employee benefit, so check with your employer, as well.

Data breaches can lead to identity theft, fraud, and targeted attacks such as spearphishing, so it’s crucial to respond promptly and take precautions to safeguard your personal information. If you suspect that your personal information is being misused, report it to the appropriate authorities and take steps to mitigate potential damage.

If you are an individual who would like additional information, visit the identity theft resource page from the United States Federal Trade Commission. If you are a small business owner the FTC also has guidance for you.