A data breach happens when an unauthorized person gains control over a company’s electronic files. Data breaches are costly for businesses because the business may lose customers after news of the data breach is spread. According to Network World, companies must also pay legal fees, costs associated with notifying customers, and prevention expenses. The Ponemon Institute, an agency that researches information security policies, estimates that a data breach costs businesses $204 for each customer record that was lost or stolen.
But consumers also stand to lose when a data breach happens. When a company’s records are lost or stolen, your sensitive information (like your Social Security number or bank account information) could land in the hands of an identity thief. The thief could use that information to siphon money from your bank account, gain access to your credit cards, or to create new accounts in your name.
Three main causes of data breaches
The Ponemon Institute says that data breaches happen because of three reasons: personnel mistakes and negligence, system glitches, and criminal attacks. Criminal attacks actually account for the least amount of data breaches. It’s people mistakes that account for most data breaches. Perhaps that’s because many companies have built their information systems to protect against hackers, but can’t prevent human error as easily.
Does the law protect you against data breaches?
You may be surprised to learn that there’s no federal law that requires businesses to take certain actions when there’s a data breach. Instead, these laws are administered at the state level. The majority of states, the District of Columbia, Puerto Rico, and the Virgin Islands all have some type of data breach law. Five states – Alabama, Kentucky, Mississippi, New Mexico, and Colorado – do not.
State laws typically require the business to notify affected customers within a certain amount of time or be subject to a fine. The company may delay notification if a law enforcement agency says sending notification would hinder an investigation. Some states are required to report data breaches to a centralized database like the Open Security Foundation’s DataLossDB.
Business response to a data breach
In the past, some companies have paid for six to twelve months of credit monitoring for affected individuals. Credit monitoring can aid in early detection of identity theft by alerting you to new credit report inquiries, address changes, and new credit card accounts. While this is something the Federal Trade Commission (FTC) recommends to businesses that have suffered a data breach, it isn’t a requirement.
What you should do after a data breach
If you receive a notification of a data breach from a company you’ve done business with, it’s a good idea to place a fraud alert on your credit reports to prevent identity theft. Continue monitoring your credit reports to detect cases of identity theft that have slipped through the cracks. Notify the local police, the FTC, your creditors, and the credit bureaus if you believe you’ve been a victim of identity theft. Download the free SpendOnLife Identity Theft Recovery Kit for personalized advice about your case of identity theft.