What to do if you receive a data breach notification letter?
Summary: If you've received a breach notification letter you rightly have many questions. Consider this your go-to guide for understanding your letter, what kind of data breach you've been compromised by, and what to do now to protect yourself.
Knowing what to do next depends on first understanding why you received a letter to begin with.
With the number of data breaches in recent years, and thanks to stronger federal and state privacy laws, it's becoming more and more common to receive a notification letter in the mail. These letters provide information about the breach and may even contain one-size-fits-all fraud prevention measures, but they won't explain the real risks you face or provide you with a custom plan of action.
So what should you do when you've been affected by a data breach? The answers depend on two things:
What kind of organization had the breach
What kinds of information were exposed
While nothing is a replacement for the hands-on, personalized attention our care team provides, this article will help you answer these questions and identify some steps you can take to minimize your own personal risk. (If you’re an IDX member, our team of fraud and identity recovery experts will personally assist you in deciphering the letter and managing your response.)
A data breach occurs when there is an unauthorized entry point into a corporation’s database that allows cyber hackers to access customer data such as passwords, credit card numbers, Social Security numbers, banking information, driver’s license numbers, medical records, and other sensitive information.
# Finding Out What Information Was Breached
Step 1: Find Out What Information Was Breached
If you receive a breach notification letter, it may tell you what personal information was exposed in a breach, but it may not give you the full picture for a couple of reasons. First, businesses are wary of bad press and legal liability and typically won't give out more information than they have to, and breach notification requirements vary from industry to industry and state to state. Second, new privacy laws set shorter and shorter deadlines for breach notification, and sometimes new information comes to light weeks or even months after a breach is first discovered.
You might also hear about a data breach in the news before you receive a notification letter. If so, news coverage may include a web address where you can go to find out whether your information may have been exposed, as happened with the 2017 Equifax data breach.
In either case, your best bet is to watch the news as the story develops. It's not uncommon for more information to come to light over a period of weeks or months. In the meantime, take the breach notification letter or news stories as a starting point and then assume the worst.
To help guide your defense plan, think through all the information that you may have shared with that organization and make a list of what information they have. Ask yourself:
Where else do you use the same username and password that might give criminals access to other accounts?
Did the organization use your Social Security number as an ID?
Did you use your email address as a user name?
What credit cards or account numbers did you give them for payments or deposits?
Were they storing your health data or tracking your travels?
Did they archive personal communications or photos that you might not want to have public?
All of this information could be used to hijack your identity or used against you in other ways. It’s important to know what information may have been exposed so you can take steps to mitigate harm. For example, changing passwords on other accounts that use the same credentials, or activating a fraud alert on your credit profile.
# Making an identity defense plan
Step 2 - Make an identity defense plan
The personal information exposed in a data breach will typically fall into three broad categories. Take a look at your list of shared information and sort it into the following categories:
Financial information: Information tied to credit cards, bank or brokerage accounts, money market funds, loans or lines of credit, etc. Also, Social Security numbers which are tied to retirement benefits, taxes, and refunds, and sometimes veterans (VA) benefits.
Medical information: This can include health plan numbers and member IDs for private insurance or Medicare/Medicaid, as well as information about medical conditions and treatment.
Other personal information: This includes all kinds of personal details which may not be protected by privacy law but which might be used to con, coerce, or embarrass a breach victim. Such information can also be used in phishing attempts to scam you, your family, or business contacts into giving up personal information.
No one is breach-proof, but you can be prepared
Unfortunately, data breaches will happen. We live in a digital, connected world, and bad guys will always find a way to get at personal information. In fact, the number of data breaches rose 68 percent last year to the highest total ever, which explains why 1 in 20 Americans have been victims of identity theft.
You can't prevent breaches, but you can help keep criminals from using breached information by using the techniques outlined here. So, be on alert for news of breaches, be prepared to protect your identity, and watch for signs of identity theft so you can stop the crime in progress and limit the damage.
You can also be proactive about protecting your privacy — the less personal information cybercriminals can access, the better! IDX Privacy protection gives you access to powerful tools and guidance that make it easy to protect your online privacy. After all, you should be in control of your privacy.