You just received a letter in the mail explaining that your personal information was accessed by an unauthorized third party in a recent data breach. If your sensitive information has fallen into the hands of cybercriminals, you need to act quickly to protect yourself from identity theft.
Questions you may ask yourself after your data was stolen:
- What can cybercriminals do with this information?
- What can I do to protect myself from all of the fraud attacks that I’m now vulnerable to?
- Why did a company allow a third party to access my private information?
- Will my credit or job be affected?
- Can criminals now apply for loans and unemployment in my name?
- Is there anything I can do to be compensated for this loss?
- What are my legal options?
What to do after a Data Breach Notification Letter
Our experienced consumer privacy attorneys have identified a number of steps you can take to minimize the risks and protect yourself from the fallout of identity theft. These steps are generally easy to implement and won’t cost you anything. The time it takes to do them, even for the busiest data breach victims, is worth the protection they provide.
Below are 9 recommendations from our experienced data breach attorneys.
1. Carefully Read the Letter in Its Entirety.
When you receive a data breach notification letter, you need to take it seriously. Don’t just ignore the letter. It’s important that you read through the whole letter, not just skim it, even though the language used in these sorts of letters is often unhelpful and frustrating.
Instead of getting definite information about what happened from the language used in the letter, you’re likely to encounter a lot of uses of “may have”: a hacker may have gained unauthorized access, your data may have been affected, and your identity may have been compromised. (The company apologizes for the risks and inconvenience the data breach may have caused you.)
The letter will likely say, without backing up the assertions, how “seriously” the company takes data security and how much “regret” it has for the incident. Often, a company that sends a data breach notice states that it has found “no evidence” of misuse or attempted misuse of the potentially breached data. These statements can give you a false sense of security. Just because the company isn’t aware of identity fraud doesn’t mean that it hasn’t happened or that it won’t happen. In many cases, the company can’t even determine who the unauthorized party that breached its network was, much less what has been done with the breached information.
The frustrating language aside, reading and holding onto the letter you received is very important for several reasons—read on to find out why.
2. Find Out What Type of Personal Data Was Breached.
Although it likely won’t tell you for sure what data of yours was stolen—again using that cop-out of saying that information “may have” been affected—the data breach notification letter you receive should offer you some kind of clarity on the types of information affected. This information is crucial.
If Social Security numbers were among the types of data potentially compromised, even if the company can’t tell you for sure whether the cybercriminal actually viewed your Social Security number, there are steps you need to take that you might not have to implement otherwise.
Similarly, if you learn that financial account data was compromised, you may need to close accounts or request new credit or debit cards with new account numbers. Data breaches that leak your personal health information may prompt you to notify your medical providers and health insurer, which you wouldn’t have to do in response to breaches involving only other types of data.
Identifying the types of data that were included in the breach should inform the actions you take next, and reading the full text of the data breach notification letter is your first step to formulating these plans.
3. Sign Up for Any Credit Monitoring or Protection Services Offered to You.
After a data breach, many companies will offer some type of complimentary credit monitoring or identity protection service to affected consumers. In some states, companies may be required to do so.
A surprising number of consumers who receive a data breach notification letter don’t take advantage of these free services, but they should. Here are some things you need to know:
Your Legal Rights Are Still Preserved When You Sign Up for Credit Monitoring Services.
You don’t waive any legal rights by taking the company up on its offer of complimentary credit monitoring services.
Consumers who are aware that companies can face legal and financial accountability for a data breach may worry that accepting this offer of help from the company will prevent them from moving forward with data breach litigation. This concern is unfounded, but it may arise from confusion about resolved matters of data breach litigation. For example, a 2019 Equifax data breach settlement offered affected consumers either 10 years of free credit monitoring or a cash payout, according to CNBC.
People who are affected by a data breach can and often do (and certainly should) protect themselves in all possible ways. In many cases, these ways include taking advantage of the credit monitoring services provided by the company as well as participating in any applicable class action lawsuits against the company for failing to adequately protect the data in its possession.
You’re Not Automatically Enrolled in Credit Monitoring Services—You Have to Opt In.
If you carefully read through the part of your data breach notification letter that discusses the offer of a credit monitoring or identity protection service, you will notice that there are instructions for signing up for the service, often requiring you to use a provided code or PIN to create an account with the credit monitoring service. There is usually a deadline by which you must act, as well.
Even though the company that sent you the data breach notification is offering this service and is aware that your information may have been affected by the cyberattack, it can’t set up your credit monitoring service account for you. You must opt in to this service by following the sign-up instructions provided before the deadline to do so passes.
Just Signing Up for Credit Monitoring Services Isn’t Enough to Protect Your Identity.
Ultimately, the kinds of credit monitoring services commonly offered to affected consumers for free after a data breach aren’t as robust as one would hope. Signing up for this service alone won’t do enough to protect your identity, but it will help when used as one of many tools that can minimize and insulate you from the risks of identity theft. The other woeful inadequacy is that the credit monitoring is usually for a short time, often one year. Meanwhile your social security number number and other sensitive personal information will be in the hands of sophisticated and devious cybercriminals on the dark web for the rest of your life.
4. Change Your Online Passwords and PINs.
We all hate having to deal with changing passwords and memorizing (or saving) new ones. However, a data breach makes doing so necessary. The cybercriminal who gained unauthorized access to your personal information may now be not only in possession of a password that you use for your account with the breached company but also one big step closer to accessing any accounts for which you may use similar passwords or login information.
Since you know that your data has been potentially compromised through the breach, you should make every effort to protect all of your online accounts. For example, you should adopt two-step, or multi-factor, account verification from any company that offers this safety feature. Although it may make logging into your accounts a little slower, the extra security and peace of mind you gain is worth the minor inconvenience.
Once a cybercriminal has access to one of your accounts, each additional piece of data they can acquire or account they can gain access to increases their potential to do you harm. Lock them out now by replacing all of your potentially vulnerable passwords with strong passwords that will be difficult to guess, even for a hacker who is already in possession of some of your information.
To help you make these changes to your online accounts, consider using the free resource Have I Been Pwned (created by Microsoft Regional Director Troy Hunt and vouched for by Consumer Reports) and a password manager, a tool that helps you generate and digitally store strong passwords for all of your accounts.
5. Start Contacting the Parties Who Are Relevant to Your Breached Information.
As noted above, the types of information affected by a data breach also influence the steps you need to take to protect yourself. At this point, you need to reach out to the relevant parties to notify them of the data breach.
If Your Social Security Number Was Stolen:
Your Social Security number (SSN) is a very important nine-digit identifier that was assigned to you by the federal Social Security Administration (SSA).
The government uses your Social Security number to track earnings and access to benefits under government programs. However, this identifier is commonly used in the private sector for identifying individuals for purposes of opening credit accounts and financial accounts and verifying health insurance coverage and services.
In the event that your Social Security number is stolen in a data breach, a person could try to open new credit accounts and loans, drain your existing financial accounts, get medical services under your medical insurance, or even falsely identify themselves as you if charged with criminal activity.
Some of the organizations you should notify of a data breach that included your Social Security number include:
- The Social Security Administration (SSA)
- The Internal Revenue Service (IRS)
- The Federal Trade Commission (FTC)
- The Department of Justice
If Your Financial Data Was Breached:
In instances of retail data breaches, financial information is often among the types of data stolen. Financial data might include the following:
- Credit card numbers
- Debit card numbers
- Bank account numbers
- Payment card expiration dates
- Card security codes (CCV/CVV codes)
- Billing names, addresses, and zip codes
- Account access codes, security codes, passwords, and PINs
While a cybercriminal can’t open brand-new lines of credit with your financial information the way they could with your Social Security number, they can still cause you significant financial harm. Hackers who access individuals’ financial data may run up your credit card balance with fraudulent charges or remove money from a bank account, often using your debit card information. A cybercriminal may even request credit line increases, posing as you, so that their shopping spree can go over your existing credit limit.
It’s important to notify your bank, credit card company, or another type of financial institution when your financial data has been compromised in a data breach. Otherwise, you may end up on the hook for at least some of the fraudulent charges, withdraws, or transactions.
It can be a pain to have to close a bank account or credit card and reopen one with new, secure account numbers, especially if you have bills linked to these methods of payment. However, having to fight, and perhaps even pay, for someone else’s fraudulent charges would be much more painful than having to spend time communicating with your financial institutions and updating your payment methods with various companies and creditors.
When you contact a financial institution to let them know that your information was compromised in a data breach, review recent transactions with them to make sure that no fraudulent activities have been attempted so far.
If Your Healthcare Information Was Breached:
Some data breaches target individuals’ health and healthcare information, including a patient’s:
- Gender and other demographic information
- Age and date of birth
- Medical account number
- Medical record numbers
- Healthcare provider names
- Medical history
- Diagnoses and treatments
- Dates of clinical service (appointments, tests, treatments, and hospitalizations)
- Laboratory test results
- Medical prescription information
- Health insurance plan provider
- Medicare or Medicaid numbers, or individual policy numbers and group plan numbers with a private health insurance policy
- Other health insurance claims information
Additionally, a data breach at a healthcare facility or company may also give the hacker access to personal contact and identifying information, such as Social Security numbers and digital signatures, and financial information, such as the numbers associated with the credit card or bank account used to pay for services. Make sure you follow up with the appropriate contacts pertaining to all of your stolen data, not only your healthcare information.
When your health information has been exposed in a data breach, you may particularly feel that your personal privacy has been violated. After all, the cybercriminal who stole your data may now know personal information about your health, including medical conditions, diagnostic tests and treatments that you have been through, and the healthcare providers you have seen. This information, even more so than your financial account information and Social Security number, may seem personal and private—something you don’t want strangers, particularly strangers with malicious motives, to know about you.
Aside from that feeling of being “watched,” a healthcare data breach presents very real threats to the security of your identity. To manage these threats, you should contact the following parties:
- All of your healthcare providers: Request and review your medical records. These notes can help you make sure that no one has gone to the doctor under the guise of being you and fraudulently used your identity to secure medical services for themselves.
- Any parties with whom your healthcare providers have shared your personal information: Contact any healthcare billing services or other parties with whom your providers’ offices have shared your information. Let them know of the data breach and make sure that no fraudulent medical appointments, tests, or treatments appear on your account.
- Your health insurance provider: Notify your health insurance provider of the data breach and review all claims and statements of benefits to make sure that you did, in fact, receive all of the services listed on your account. Your health insurance provider may be able to give you a new account with different plan numbers and account numbers than the one that has been compromised by the data breach.
- Administrators of any Healthcare Savings Account (HSA) or Flexible Spending Account (FSA) you have: Even if a cybercriminal isn’t using your health insurance information to get free medical care, they may be taking advantage of any healthcare savings benefits you have. Check your balance, monitor your account for suspicious activity, and notify your account administrators to request a new account and card with updated numbers.
- The senders of any medical bills you don’t recognize: If the individual using your personal healthcare information goes to a different doctor you have never seen, your first indication that something is wrong may be a surprise medical bill you receive in the mail. Even if you’re sure that a medical bill isn’t yours, don’t just ignore it. Contact the billing company to let them know about the data breach and ask for further information so that you can prove that you were not the patient who received the service.
If Identity Theft Occurs:
This is a possibility no one wants to think about, but it can and does happen. If you become aware that you have indeed been a victim of identity theft, you should file an Identity Theft Report with the Federal Trade Commission, the government agency that is concerned with consumer protection.
By taking this action and creating an account with the FTC, you can get a personal recovery plan and access to the tools and resources, like checklists, pre-filled forms, and letter templates, that can help streamline the process of dealing with matters of identity theft.
Having a reported incident of identity theft qualifies you to place an Extended Fraud Alert on your credit report accounts with each of the three major credit bureaus (see below). If you have an Extended Fraud Alert in place, companies must take additional steps to verify your identity in order to gain access to your credit report. Once placed, an Extended Fraud Alert remains active for seven years.
Identity theft is a crime. If you become aware that your identity has been stolen and used in a fraudulent manner, you should also file a police report.
6. Notify All of the Major Credit Bureaus to Set Up a Fraud Alert.
While there are certain parties you should notify of a breach of certain types of data, there are some contacts you should notify in the event of any cyberattack that compromises any type of sensitive personal information.
In particular, if any of the financial or personal identifying information that could be used to open or access credit accounts has been stolen—and at least some information of this variety is included in many data security incidents—then you should notify all three of the major credit bureaus:
Each of the three major credit bureaus in the United States allows consumers who have been or believe they may have been a victim of identity theft to set up a Fraud Alert. However, only people whose identity has indeed been stolen and who have filed an Identity Theft Report with the FTC are eligible to put in place an Extended Fraud Alert. If you have received a data breach notification, you can put in place a Fraud Alert even if there has been no suspicious activity on your accounts so far.
7. Check Your Credit Reports.
Don’t stop at notifying the major credit bureaus of the data breach. Request a copy of your credit report from each bureau (it should be available to you for free) and carefully examine your credit report for any suspicious or fraudulent activity. You can also get copies of your credit reports from AnnualCreditReport.com (a legitimate website that is authorized by federal law and recommended by USA.gov, the Official Guide to Government Information and Services).
Identifying suspicious activity on your credit report can be more challenging than it sounds because lenders sometimes go by a different name than you would expect. For example, a store credit card account may appear under the name of the financial institution behind it, not the store in which you were offered the card and to which the card is branded.
If you find any mistakes on your credit report, you need to contact that credit bureau to correct that mistake right away.
8. Put a Credit Freeze in Place on Your Accounts.
Here’s a tip that most people don’t know about protecting their credit and their identity: any consumer can place a “credit freeze” on their accounts for free. A credit freeze puts you in control, preventing access to your credit report (and as such, the unauthorized opening of any new loans or lines of credit) until you (temporarily) lift or (permanently) remove it.
You don’t have to wait until an identity thief has already made fraudulent transactions or opened new accounts in your name to take this simple and painless action. However, you should plan to freeze your credit reports on all three credit bureaus, not just one.
9. Monitor Your Accounts for Suspicious Activity.
Unfortunately, protecting your identity isn’t a set-it-and-forget-it process, especially when you know you are a potential victim of a data breach. Even with precautions in place like credit freezes, identity protection monitoring, and multi-step account verification, a clever criminal could still use your identity in more subtle ways than opening and maxing out brand-new credit card accounts.
One of the best things you can do is also the simplest: regularly monitor all of your accounts and be aware of suspicious activity. When you receive a statement on any of your accounts, take the extra moments required to review all transactions. Monitoring your account activity is a good habit to get into, even if you aren’t a victim of a known data breach. In fact, many people initially find out that an account has been compromised because they notice an unfamiliar charge or transaction on their account.
Can You Sue for a Data Breach?
If you’re starting to get frustrated at this whole situation, you’re not alone. You did nothing wrong, but you have to suffer through all of these consequences—the financial harm, the wasted time, the emotional distress. It’s unfair, and honestly, it’s overwhelming. You shouldn’t be the one to bear the consequences for the responsible parties.
The cybercriminal who hacked the network of the targeted company is certainly to blame, but they aren’t the only one responsible for this situation. Cybercrime has been on the rise for years. Companies that store sensitive personal information have an obligation to take all reasonable steps to secure the data in their possession.
It’s possible for a company that takes all the right precautions, like investing in a state-of-the-art data security system, to still be hacked by a skilled cybercriminal. However, investigations by experienced consumer privacy attorneys have revealed that, in many instances, hackers target companies whose data-security measures are outdated and inadequate.
By making the choice not to invest in the appropriate measures needed to protect the consumer data in their possession, some of these companies have made themselves vulnerable to cyberattacks. While the hacker may be the one who actively breached the network and compromised the data it contained, a company that neglects to take appropriate measures to protect the security of its data is also partly to blame for the effects of a data breach on consumers.
Even once the company became aware of the breach, did it notify you right away so that you could start to take precautions immediately, or did it allow months to pass without even bothering to tell you that your information was vulnerable? In our attorneys’ experience, breached companies often put off notifying consumers for three to six months (and sometimes longer). All this time, the company knows that your sensitive information has been leaked and your identity is at risk, but you have no idea.
Civil lawsuits against breached companies, based on allegations of failing to protect consumer data, are becoming more common. Through these legal actions, consumers affected by a data breach can seek compensation at no upfront cost and with relatively little time commitment required on their part. Our data breach attorneys are actively investigating data security incidents and pursuing compensation on behalf of our clients without adding more demands on top of the hassles you’re already dealing with.
Contact Emerson Firm LLP. There is no cost.
Not all data breaches lead to lawsuits, but it almost always makes sense for an individual affected by a data security event to speak to an attorney.
A data breach lawyer can launch a thorough investigation into the matter and help you understand your options for compensation. Our experienced data breach attorneys offer free consultations and no-win, no-fee legal representation, so finding out your options or even moving forward with a lawsuit doesn’t have to add to your financial burden.
Free Consultation - No Obligation
Complete this form and we’ll get in touch within 24 hours.
"*" indicates required fields