Limiting Your Damage From A Data Breach
Today’s data breach epidemic is serious. Not a week goes by without another story in the news about another large data breach. Unfortunately, these breaches are becoming all too common and, in many instances, it seems there’s little you can do to prevent them. Luckily there are several things you can do to protect your specific accounts in order to limit the damage from these breaches and reduce the time to recover.
BEFORE a Data Breach
The following steps won’t prevent your data from hackers if a firm is breached and your personal data is taken from that firm. But they will help protect your data from hackers trying to access your specific accounts and can help reduce the time, money and effort you’ll need to recover from a breach.
Multi-Factor Authentication (MFA)
MFA is a great way to help protect your accounts from unauthorized access. MFA adds another factor or element to your login process in addition to your username and password. That additional security factor could be something you are (fingerprint or face identity on your phone), something you have (a verification code text to your phone), or something you know (security q&a only you would know). Pretty much, all of your accounts should leverage MFA. If you’re not sure how to set up MFA for your accounts and apps, find their help page and/or call their support hotlines—especially for your financial accounts.
Strong Passwords
Following password best practices wherever possible will limit your exposure to hackers and compromised accounts. Combining strong password practices with MFA provides a great security foundation for your accounts.
Limit Information Sharing
Limit what you share on social media and the kinds of apps you use. The more sensitive information you share the more the hackers can steal and leverage to gain more sensitive information about you including financial and health related information.
Monitor Your Accounts
Review your accounts frequently. Make sure you review all charges to make sure you actually made them. Sometimes your financial institutions will flag purchases that aren’t typical (e.g., purchases that are really large or purchases from a remote location). Regardless of what you bank or credit card company does to review and protect your account, you need to check those transactions as well and if you find something that doesn’t look right call your bank immediately.
Identity Theft Protection Services
There are several free and paid services available to consumers. “Have I been pwned?” and other dark web monitoring services provide vulnerability search insights into which of your accounts may have been compromised and if your personal information is available on the dark web. Reviewing these sites and services can let you know which of your accounts need to be reviewed and have passwords changed for. Other services such as Life Lock offer more protections including alerting when accounts are compromised and reimbursement services to make you whole in the event of a breach.
AFTER a Data Breach
Following a breach, the breached company may not immediately release information about the breach. Here’s a list of sites that may help you prepare for and/or help you after a breach has occurred:
— Identity Theft: https://www.identitytheft.gov/Info-Lost-or-Stolen
— FBI: https://www.ic3.gov/default.aspx
— Federal Trade Commission: https://www.ftc.gov/
— Privacy Rights Clearing House: https://www.privacyrights.org/data-breaches
— Fraud Support: https://fraudsupport.org
— Credit Karma: https://www.creditkarma.com/id-theft/i/what-to-do-after-data-breach/
— HIPAA: https://www.hhs.gov/hipaa/filing-a-complaint/index.html
— Office for Civil Rights: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
Taking Action Against Your Data
The company who was breached can sometimes help in the event your individual account was breached or if their infrastructure was breached and your personal information was breached as a result. In some instances, they are required to disclose what was breached, to provide credit monitoring or other similar services and they may do other things to make you whole such as refund your account, offer to reimburse you for time spent tracking down false transactions, etc. Their websites may contain useful information about your options after a breach, including helping you identify if your data was actually breached, information about credit monitoring or other relevant information.
Review Government Protections
The Federal Government and your State and local governments can help provide certain protections and sites to report breaches as well. Varying federal and state laws prescribe different requirements depending on the nature, location and circumstances of the breach and underlying data compromised. The Federal Trade Commission (FTC) provides guidance for lost account information, social security number theft and other commercial accounts. In the event you find your protected health information has been compromised, the government’s Health and Human Services site and/or the Office for Civil Rights (OCR) may be helpful. Sometimes a company that was breached may be slow to respond and, in those cases, it is helpful to review other government sites in order to learn about potential recoveries including private litigation and class actions against the breached company.
No One Is Safe From Breaches
You can limit or even prevent some breaches by using strong passwords, MFA and limiting the sensitive information you share online. Some breaches are unavoidable (e.g., when Equifax is hacked your information is stolen by hackers. Therefore; you need to take measures to protect yourself and your data if your accounts are hacked. Identify theft services, reviewing your transactions and reviewing government and corporate websites can help. In all instances it is key to stay vigilant and monitor your accounts routinely. Work with CMIT, your trusted cybersecurity advisor to discuss additional preventative measures to protect your organization. Contact us today at 781-350-3438 or via email to [email protected] for more information.
Written by: Chris Zambuto | Chief Information Security Officer @CMITBostonCambridge