Every day, a new data breach makes its way to the front page of our tabloids. Recently, Quest Diagnostics (a medical collection agency) took home the prize that no one ever wants to have on their trophy shelf— biggest breach of 2019. The incident made multiple millions of records of sensitive data available to attackers including financial information, social security numbers, medical information, lab test results, and more. At first glance, it’s a devastating breach in terms of both size and information collected. But is anyone really surprised?
I’m asked a similar question quite often. As we continue to see massive breaches at an insane pace, are we becoming desensitized to them? Should we still be paying close attention to each breach that occurs? Does this even matter any longer?
Of course, to me and to all of us at FRSecure the answer is an emphatic yes. Yes, it matters. Yes, we should be paying attention. But, frankly, yes we are becoming a little numb to breaches in the news.
As a result, we are getting lazy about our own personal security. We are missing an important, yet basic component of information security. You are the best person to advocate for, monitor, manage, and protect your personally identifiable information (PII). It’s on you to take an active role in protecting it.
Now, there are responsibilities that a corporation must take when an incident occurs at their expense. A breached company has obligations they are required and expected to fulfill when it is the cause of your PII getting out into the wild. And, don’t get me wrong – these companies typically do feel bad about it. Ultimately, though, no one is going to care about your personal information the same way you will, so the onus is on you to protect it.
Your diligence in remediation, as well as using the incident as a springboard to increase your protection moving forward, will mitigate the impact of the incident and hold those who caused the data breach accountable.
In speaking with FRSecure CEO and Founder Evan Francen about breaches, one thing has always resonated with me. Evan said once, “It’s you who is impacted the most. Companies have insurance. They will likely weather the breach from a reputational perspective. It is you who has to go through the trouble of staying on top of your own PII— and that’s hard.”
But it doesn’t have to be.
Your personal security
If you learn your name was caught up in a breach, there are some things that you can do to protect your credit history, your personal assets, and your peace of mind.
- Upon learning of a breach, freeze your credit with the three main credit reporting services. It protects you from people making inquiries on your credit, and it will not impact your score.
- If your identity has indeed been stolen, file a report on stolen identity with your local police and the US Federal Trade Commission.
- If credit card information was part of the breach, immediately cancel the impacted card and get a new one from your provider. Call all the major credit card companies that you have credit with to alert them of this situation as well.
- If your banking information was part of the breach, make it a daily or weekly habit to scour your account. Report and dispute any fraudulent charges or transfers.
- Contact the company who was breached and ask them to cover any expenses from credit monitoring services. If they push back, remember that they were ultimately the reason your personal data got out into the world. Being polite, yet forceful, in your negotiations will go a long way.
- Contact the IRS to ensure that you are not being impacted by tax identity theft.
- Criminals might try to get a driver’s license in your name. Talk to your state Department of Motor Vehicles (DMV) licensing division about flagging your file so no one can get a new license in your name before the expiration date hits.
- Collect data. Get all the pertinent data from the company that caused the breach. The more detail the better. The more data you get up front, the better equipped you’ll be if there eventually comes a time when you have to take legal measures to get yourself back to where you were prior to the breach.
We often discuss what companies should do when they get breached. It’s a topic that many are still in the dark on. We can dissect every what-if, creating extensive roadmaps and how-tos for breach response. At the end of the day, however, information security isn’t as much about information or security as it is about people. Again, companies will likely recover from the financial, reputational, and regulatory consequences of the breach. Despite that, it will always be up to you when it comes to protecting yourself from breaches, and reversing the damages caused by one.
To learn more about the Quest Diagnostics data breach, check out my recent interview with KSTP:
If you’d like to learn more about what you can do to protect yourself or your organization from being devastated by an information security incident, reach out to us at frsecure.com.