What to Do After A Data Breach
May 21, 2020 | Last Updated on: July 22, 2022
May 21, 2020 | Last Updated on: July 22, 2022
As more and more of our lives and business activities are conducted online, it has become increasingly easy for thieves to gain access to personal information and use it to their advantages. Data breaches are unfortunately a somewhat common event in our world today and can cause serious damage to a personâ€™s or businessâ€™ finances, reputation, and overall well-being. Theyâ€™re so common, in fact, that itâ€™s almost inevitable that at some point you will find yourself on the losing end of a breach. So, what can you do to protect yourself or your employees once a breach has occurred?
As a small business owner or employee, there are steps you can take to both protect yourself and your staff, but itâ€™s important to have a clear understanding of what happened. Here are some things to keep in mind, both before a data breach and after one has occurred:
If youâ€™re a business owner, this may be a bit more complicated, but itâ€™s important to know how a breach happened so that you can start to fix the vulnerability. This may involve hiring a consultant or working with your IT/internet provider to find out when the breach occurred, where it is suspected to have originated from, and what (if any) data was illegally accessed.
Personal account holders have it slightly easier, since youâ€™ll be alerted by the breached company after it happens, but youâ€™ll still want to find out how, when, and where it happened to make decisions on your next best steps.
Once youâ€™ve been alerted that a breach has occurred, the first thing youâ€™ll need to do is determine the scope of what was accessed, taken, or compromised. This information may be included in the notice you received from the data manager (company), or you may need to dig around to find it.
Healthcare data includes data that youâ€™ve given to your doctors, hospitals, and insurance information. Thieves can use this data to commit fraud, obtain unnecessary medical care, and possibly access other accounts.
Financial data includes payment account numbers, debit card or credit card data, and other information such as passwords and addresses or phone numbers. Using this data, bad actors can open accounts in your name or make fraudulent purchases.
Government data is among the most sensitive information we have, and includes social security numbers, dates of birth, tax ID numbers, and more. Criminals can use this information in all sorts of situations, including obtaining your tax refunds, opening accounts, and accessing your financial accounts.
There are priority levels that are generally assigned to various pieces of personal information, so itâ€™s also important to understand where you fall on the spectrum. Just because a certain type of breach occurred, it doesnâ€™t mean youâ€™re safer or less safe. Youâ€™ll need to determine the priority of what was accessed.
Low: Low priority data includes names and addresses, both of which are still widely available in phone books (where still printed) and online. Thereâ€™s enough information to be an annoyance to the people whose data was accessed, but not enough to do any real damage to credit or other personal information.
Medium: Medium priority data includes email addresses, dates of birth, and card information like credit card numbers. With this data, a bad actor can make purchases, create spam mailing lists, and access all sorts of financial information about their subjects.
High: High priority data includes passwords, social security numbers, passport numbers, payment card security numbers and PIN numbers. In combination with other types of data, things like passwords and card numbers can allow thieves to open credit accounts and make other movements.
Itâ€™s easy to see how each of these data types and priorities are intertwined with each other. If one type of your information has been accessed, assume that itâ€™s all at risk and act accordingly. Similarly, donâ€™t assume that you are safe just because a breach only exposed your name or address, because it may be possible to determine other information from those bits.
The entity whose systems were breached may try to reassure you and your employees that no sensitive data was accessed, or that if it was, there are measures in place to protect your accounts. While that may be true, itâ€™s best to take your own steps to respond and protect yourself.
Use the same password for all accounts? Havenâ€™t changed your password or security questions since high school? Sharing a social media account with someone else? Itâ€™s a good idea to change passwords for all of your accounts, not just the ones that were involved in the data breach. Assume the worst, and train yourself to believe that the thieves now have access to all of your accounts. That sounds extreme and like a major pain, but itâ€™s a small price to pay to safeguard your other accounts. Donâ€™t reuse passwords across accounts and make sure that theyâ€™re strong enough to resist easily being guessed.
Password managers work well for this, and many new smartphones and computers have built-in software that both generates and stores passwords. The problem here is, that if the thieves have access to your master password, they have access to everything else. You may also consider implementing two-factor authentication to help protect your online accounts. This will require a password and some other verification such as a code texted to a phone number or email account.
Once you know that youâ€™ve got a problem with your personal data, start contacting your financial institutions. They can help you replace your cards or change account numbers, update passwords in some cases, and can place safeguards on your accounts if you suspect someone is using them. Hopefully, youâ€™ll have been able to contact them before the bad actors use your account numbers or access your finances, but in case you havenâ€™t, banks have well-documented anti-fraud measures to help you recover. Contacting your card issuer can help them quickly send another card to get you back in motion as well.
This also includes credit reporting agencies, like Equifax, Experian, and TransUnion. Carefully review the latest information on your credit file from the big three reporting bureaus to make sure that there havenâ€™t been any unknown accounts or financing opened in your name. Contacting the bureaus can also help place a fraud alert on your name, which will alert you if any unknown activities are taking place. You can also freeze your credit, which will block new credit accounts and disable the bureausâ€™ ability to provide new credit reports to creditors. Issuing a credit freeze makes it harder to do anything financially, so make sure you need to do it. You’ll need to unfreeze before opening new accounts or even working with things like bank accounts, but it may be a necessary step to respond to suspicious activity.
There are some free options for credit monitoring services, but most require a monthly or annual subscription charge. In either case, identity and credit monitoring will give you a window into credit and financial activities taking place under your name. Some offer the ability to connect payment accounts for real-time monitoring and can issue alerts when something new pops up. In many cases, the company whose systems were breached will provide these types of services for free for a period of time, but youâ€™ll need to monitor the dates to ensure you either continue the service at the end of that time or feel comfortable enough to let it lapse.
You can do things to monitor your own information even before you become a victim of identity theft or a major credit breach. You can obtain a free credit report once every year, which is a good start to help you understand what is going on.
All of that is just to respond if you suspect that your data is in danger. What can you do if youâ€™re actually the victim of a fraud as a result of the data breach?
The police canâ€™t go out and fix identity theft for you but contacting law enforcement will give you legal standing to dispute future activity as fraud. It can also alert them to the fact that there may be others in your same situation and can help them work with other law enforcement agencies to track down the criminals.
This also includes contacting the federal government. In the United States, the Federal Trade Commission (FTC) handles this sort of thing, and victims of fraud can file a report online.
Freezing credit is a somewhat extreme measure but can stop thieves from continuing to open accounts or make purchases without you knowing.
Being on the losing end of a data breach can feel really lousy and can lead to panic or confusion, but itâ€™s important to approach the recovery measures with as much calm and analytical thinking as is possible. Youâ€™ll need to take steps to understand how severe the breach was, what information was accessed, and how to get in touch with the appropriate entities to start recovering from the breach. Itâ€™s also important not to over- or under-react. Doing so will only raise your stress levels, make it difficult to communicate with law enforcement, credit bureaus, and financial institutions, and may lead to lost time that could be used for recovery measures.