What to do After a Data Breach

Posted by Rob Schnetzer on Mon, Sep, 02, 2019 @ 13:09 PM

What happens when you find your email on a breach list?

Unfortunately, several of the largest data breaches of all time have occurred in 2019. One massive breach was dubbed Collection #1  with 773 million records affected. Another breach numbering 763 million records  has been named Verifications.io .  Even more insignificant recent breaches  like Graeters Ice Cream at 12,000 records remind us that hackers will attack networks of any size.You don't want to find yourself on this site.

It takes an average of 197 days to find a breach and another 69 days to contain it. However, containing a breach doesn’t affect how quickly (or slowly in some states) companies must report it.  What might play a big role in how quickly a company reports a breach is the law enforcement investigation of the breach. Depending on the entity investigating, they may deem it necessary to keep a lid on the breach to maintain the integrity of the investigation (see guidelines for reporting a breach later in the article).

Ultimately, the fine details of a breach are secondary to the “how it” or “will it” affect you, your business and your family. Some hackers choose to sit on records for years and never release them while others expose them to the internet as soon as they’ve been culled.  So what should your next steps be after you’ve been notified of a data breach?


1 Check your Email Addresses.

Make sure none of your other e-mail addresses and login information have been put out on the internet. The easiest way to do this is to go to “haveIbeenpwned.com” and search their database for your e-mail addresses. This is totally free, and you might be surprised at what you find. Honestly, after 2018 and 2019 if you don’t find your e-mail on HaveIBeenPwned.com you’re in the extreme minority.

2 Change your Card Numbers.

Call your credit card and debit card companies and change your card numbers. Do this for all cards involved in the breach or not, just to be safe. Because the cards number was stolen, not the card itself, the Fair Credit Billing Act means you are not liable for those purchases made illegally on the card

3 Contact a Credit Agency.

Place a fraud alert on your social security number by calling reporting agencies Equifax, Transunion or Experian. You only have to call one of the agencies, as they are each legally obligated to inform the others. This is a free service.


4 Change Your Passwords.

Change your passwords and use a password manager like Last Pass. This is a good idea whether you’re involved in a breach or not. This will help you systematically change all your passwords. Our suggestion is to start with the ones involved in the breach, or ones that you’d like protected the most. Then work your way out, changing a few a day or even more often than that. Password managers will create a separate password for each account and make it that much more difficult for anyone to breach all your accounts at once.

5 Contact the Company that was Breached.

Check in with the company that was involved in the breach, if that is possible. Some breaches involve records from multiple companies being released. Many companies like Equifax offer credit monitoring from a third-party company or other benefits when they are involved in a breach.


What are the guidelines for notification?

GDPR (European Union General Data Protection Regulation) compliant companies have 72 hours to notify you of a breach.  However if the company is based in the U.S. and not GDPR-compliant, the notification policies run the gamut, from as quickly as possible in many states to places like Connecticut which can delay up to 90 days. Here in Texas the notification mandate is as quickly as possible but no longer than 60 days after the breach is discovered. When corporations don’t follow these state guidelines, it opens them up to federal suits from the SEC  and civil class action lawsuits like Yahoo's in 2016 when a known breach remained undisclosed for nearly 2 years.

With this advice hopefully you can minimize the damage done by a breach.

Topics: Cybersecurity