By Jennifer Wilding
Finding out your confidential information was stolen in a security breach of an organization you do business with online or who stores your data online can leave you feeling stressed out and vulnerable. Unfortunately, the modern conveniences of online accessibility to businesses and services has given online thieves a reason to find new ways to penetrate online systems. These security incidents are happening all too often. If you receive a breach notice, there are steps you should take to prevent thieves from benefiting from your stolen information and put you more at ease. We will be discussing five of those important steps in this post.
1. Identify What Information was Compromised.
Any time a company that stores your personal data online discovers that they were hacked, they are legally required to notify you of this, which is usually how you find out about the data breach in the first place. Most often, an email or letter by mail is sent out to give a heads-up that your data either was compromised or may have been compromised. As part of this notification, there will be a list of the types of data included in the breach. Look for that list to help you determine, more specifically, what confidential information about you has likely been released into the online wild.
Among the types of information exposed, look for Social Security number, date of birth, credit or debit card Information, driver’s license information and/or medical Insurance account information, or account passwords to be among the stolen data. This is important because, while your email address being stolen may result in more spam emails or email phishing attempts to your inbox, if you’re carefully scrutinizing your emails, and classifying extra spam as spam with your email provider, there’s not much else that can be done to victimize you using just your email address.
Credit and debit card number information can be changed to avoid fraud. However, Social Security numbers and other personal identifying information typically used to verify you for secure financial accounts is where things can get risky as far as potential financial fraud attempts. Personal answers to security questions, your mother’s maiden name entries, date of birth, PIN numbers are examples of data that can be used along with your name to either open new financial accounts (like credit cards) or access your existing accounts while posing as you. Medical insurance information is also a risk to have floating around on the web because thieves have been known to rack up medical bills posing as others and having providers submit to their victim’s insurance company to foot their medical bill or fulfill drug prescriptions. Confidential health records also fetch a lot of money on the dark web for hackers, and health data breaches are on the rise because of this.
Once you know what you are dealing with as far as exposure goes, you’ll have a better idea of what steps will be necessary to catch and/or prevent fraud activity using that information.
2. Implement Extra Digital Security Measures Based on What Data was Stolen
EMAIL & PASSWORDS
If basic email and password account information was lifted: change login passwords on the associated accounts to have new, secure, hard-to-guess passwords. If you don’t already have an online password manager helping you track logins in a secure way (encrypted), consider looking into a password management tool (examples: Bitwarden, OnePass, LastPass, PassHub, KeePass). They often provide random secure password generator options as part of their service.
UPDATE SECURITY QUESTIONS & PIN NUMBERS
Either choose new security questions and answers for account security or make a conscious effort to be consistent with using answers that are not factually correct but can be easily remembered by you. For example: you might change the answer to street you grew up on question to be the street you wish you grew up on. Just remember for yourself that you made these changes and secure your new answers in a special place offline if you need to.
FOR ALL ONLINE ACCOUNTS THAT CONTAIN SENSITIVE PERSONAL INFORMATION
If you haven’t already, investigate implementing Two-Factor Authentication as a practice to prevent logins of people posing as you on these accounts. Also known as 2FA, this kind of authentication involves the use of a unique key, in addition to a standard login, as an extra security measure to get you into these accounts. This “key” could be a unique 6-digit passcode linked with a mobile app on your phone (Google Authenticator, Last Pass Authenticator, Microsoft Authenticator, and Twillo Authy are popular examples of these applications).
Another type of 2FA involves the use of a biometric identifier such as a fingerprint reading from your mobile phone, or a limited-time single-use passcode sent to your cell phone as an SMS text message that you can enter as part of your second-step login to further confirm your identity.
Although this extra step added to all your account logins may be less convenient for you, it is just inconvenient enough to successfully thwart thieves who are unable to pose as you since they don’t have access to your mobile device in real time.
Online accounts that offer a 2FA feature usually have step-by-step instructions to walk you through implementing this feature in your password security settings within your account.
3. Notify Organizations & Closely Monitor Your Accounts
FOR BANK CARDS
Contact your financial institution to let them know your payment card information was stolen in a breach so they can cancel any compromised card numbers, issue you a new card number and connect this new card to your account.
Closely monitor your financial statements for any suspicious charges that may have occurred before you made the changes. If your data breach letter also included any free credit monitoring or identity theft protection service offer for a year or more, consider taking them up on the free offer*. If there isn’t an offer for these types of monitoring, consider looking into this type of service to further protect you.
*Note: Although accepting the free credit monitoring service may disqualify you from being able to sue the company for the breach as an individual (as noted in some fine print terms)
– this will not prevent you from being able to join as a class representative or class member in a class action lawsuit brought about by the breach. If you have not experienced any major fraud yet, protecting yourself with the help of credit monitoring is still a better option than leaving yourself exposed and vulnerable to fraud activity.
FOR DRIVER’S LICENSE DATA
Consider contacting your local Department of Motor Vehicles office to notify them that your information has been stolen online and find out what they recommend. They may make a notation in their system that your driver’s license information was compromised in a data breach. If any criminal activity takes place with your number that is discovered, you can ask for a license number replacement. Some states will permit this after criminal activity has occurred using your existing license number.
If your driver’s license number and associated personal information is compromised in this way, you may also consider paying a fee to a background check service to run a check from time to time to make sure there is no strange activity captured revealing someone posing as you. Should you ever notice traffic violations or other citations showing up that are unfamiliar, reach out to police to let them know this kind of identity theft has occurred.
FOR MEDICAL INSURANCE DATA
If your insurance company wasn’t hacked (in which case, they would already know about the breach) reach out to let them know your medical insurance details have been exposed in a recent breach.
Monitor your insurance account for any strange claims that are not a part of your known medical care or prescriptions. If the breach occurred to one of your medical providers, you can make a formal request for your medical records to check that everything represented there is something you are familiar with. If you see anything strange, reach out to let them know. Unfamiliar information could be due to a clerical error that needs to be corrected or possible identity fraud. You would want to act quickly if someone is using your identity to engage in theft of medical services or prescription drugs in your name.
4. Fraud Alerts or Security Freeze with Credit Reporting Agencies
When your Social Security number and other personal security information are stolen as part of a data breach, you have two options outside of credit monitoring available to you. These two options are reaching out to one of the three credit bureaus to place a fraud alert notice on your accounts with all bureaus due to the breach or, going a step further to secure your credit report access, by reaching out to each of the three main bureaus and implementing a credit report freeze for each one.
It should be noted that neither of these options will harm your credit or affect your credit score, as they are only intended as a measure of extra protection against identity fraud. Also, you would only want to add one or the other instead of both options together to minimize your own inconvenience should you need your credit profile reviewed for a necessary financial activity authorized by you.
OPTION ONE – ADDING A FRAUD ALERT FOR MODERATE PROTECTION
There are three types of fraud alerts you can activate with the major credit bureaus, and they are all free to activate. The inconvenience of fraud alerts is that they hinder instant credit approvals such as in-store credit offers at retail outlets or an instant credit card pre-approval done by quick automated credit check systems. The fraud alert type you request will depend on what your status is and adding this alert will require that the requester provide extra information to confirm identity before any information can be used to approve a loan or credit line. The three options are:
A Temporary Fraud Alert – this is the one to request if your credit card number or Social Security number has been stolen online in a data breach, but you haven’t yet experienced any fraud or identity theft related to that breach. Activation lasts one year and automatically expires if not renewed.
An Active-Duty Fraud Alert – this is for those in active-duty military service on assignment away from home who want to request extra protection for that purpose. Activation lasts one year and automatically expires if not renewed.
An Extended Fraud Victim Alert – this is what you want to apply for if your data was stolen and you’ve already been a victim of fraud activity as a result and have reported the crime to the authorities. This will require a copy of the police report you filed. This alert lasts for seven years and then automatically expires.
Note: Because Fraud alerts just require an extra step to validate your identity using other personal information, if you are certain that the data breach obtained a lot of personal information about you, you should opt, instead for a credit freeze.
To set up a fraud alert for all bureaus, you can click HERE.
OPTION TWO – FOR MAXIMUM PROTECTION – CREDIT FREEZE
Freezing your credit account will restrict all access to credit report inquiries and thus prevents the unauthorized opening of new financial accounts in your name as part of identity theft. To do this, you must reach out to each credit bureau individually and take on a separate login specific to each credit freeze request. This is usually different than standard credit bureau website account logins with these companies and will require creating and retaining a special PIN number to unfreeze when you need to apply for any loans or new lines of credit. Be sure to Keep the PIN number you choose in a secure place where you can find it again when you need it.
Credit freeze resources for the three credit bureaus:
Visit their website to activate a freeze, or for information call 888-397-3742.
Visit their website to activate a freeze or call 800-349-9960.
Visit their website to activate or call 888-909-8872.
5. Consider Pursuing a Data Breach Class Action Lawsuit
We at Join Class Actions and Siri & Glimstad LLP specialize in data breach class action lawsuits. If we already know about the data breach, we may already be working behind the scenes to bring justice and compensation to those affected. If we do not know about it yet, you may be able to play a part in getting a class action lawsuit launched as a lead plaintiff which would position you to receive special compensation (often between $2,000 -$5,000) for that role as part of the approved settlement.
If you are part of a data breach that impacts many thousands of people and your data breach letter was received within the last 30 days, check HERE to see if we have an intake form listed related to your specific breach.
If you do not see your specific data breach intake form listed on our website and you received a notification about the data breach in the last 30 days, complete an intake form HERE to let us know about the breach and be prepared to send us an images of your letter in a photo format.
If your data breach event occurred longer than 30 days ago, chances are good that we are either already working on it, another firm is working on it, or the data breach is not large enough to constitute the type of class action cases we litigate.
Be sure to act quickly to protect yourself. It’s important not to delay in implementing these digital security measures to prevent someone from committing identity fraud using your data. By the time you have been made aware of a breach, chances are good the thieves have possessed this information long enough to have already begun the second part of their plan: acting as identity fraudsters using or selling your information. Regain control by acting quickly to stay ahead of them.