Avoiding Personal Damage from a Data Breach

Technology makes life easier, there is no doubt. Everything from ordering your groceries to registering for college can be done online these days.

To enroll in college, you need to enter all your information, including your social security number, your immunization records and your email address, into the online registration form. When ordering groceries, you simply store your credit card information and address on the website so you only have to click three boxes to get your favorite granola bars delivered. And those times you venture away from the computer and go out shopping, instead of taking out your credit card to swipe, you can have your credit card information stored on your iPhone and simply scan it to purchase that motorcycle you have been eyeing.

What most do not realize, is that this convenience is putting your personal identifiable information (PII) in places where you are dependent on others to protect it. PII is defined as any representation of information that permits the identification of an individual, such as name, address, social security number and email address. Basically, it is any information that someone could use to open up a credit card in your name. Therefore, if your favorite website that holds your PII is hacked, your information can get into the wrong hands.

Retailers and other organizations want to keep you as customers, and they want to make your shopping experience with them as easy as possible. Studies have found that you are far more likely to buy items if you only need to click a few buttons. If you need to stop and get your credit card, you may rethink that purchase. Also, these companies want as much information from you as possible. The more data they acquire, the more they can analyze and better understand their consumers’ buying habits. Mining for data today is just as profitable as mining for gold was in 1849.

So what do organizations need to do to secure your data so that you can trust it is in a safe spot? The Federal Financial Institutions Examination Council (FFIEC) has proffered a cybersecurity assessment that outlines how corporations can manage risk. First and foremost, every corporation that houses your information should have security measures surrounding your data. Preventative controls are of upmost importance to impede unauthorized access to your information. Your data should be encrypted when it is transmitted, with higher levels of encryption for PII, such as social security numbers. Anti-virus and anti-malware tools should be routinely updated and IT networks should be routinely scanned for anomalous activity.

It is also recommended that management and leadership teams get behind governance policies that routinely train employees on cybersecurity risks and that these trainings are provided on a frequent basis. If employees are not aware of potential attacks through phishing schemes, etc., they may inadvertently open up your PII to an untrustworthy source.

Most major organizations have extremely vigorous cybersecurity measures in place. Also note that various organizations that collect your PII (your bank, university, brokerage account) are subject to industry regulations, such as from the SEC or FTC, which mandate the security organizations need in place to protect your PII. If there is a breach, these corporations by law need to notify you directly. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving PII. Many times they are also obligated to provide free credit monitoring to you for a certain length of time. If you are given this free service, make sure you sign up. This helps to protect your PII, and if it did get into the wrong hands, this service will notify you if someone out there is trying to open a credit card in your name.

While you can’t control the protection your PII is getting and there is undeniable attraction in the convenience of having your PII stored for quick reference, you need to find a balance. As previously mentioned, many large organizations have regulations that provide a certain level of protection of your information. While those organizations can and have been breached, they should have response plans in place to quickly and effectively deal with a breach. However, smaller companies may be unregulated and may not have top-notch security, which could put your information at great risk. It may be wiser to avoid saving your information on their sites. If asked for PII, take great care before you hand it over. Since your PII is as valuable as gold, make sure you keep your data as safe as you would your jewelry. Just like you wouldn’t lend your jewelry to untrustworthy people, you shouldn’t lend your data to them either.

About Samantha Green

Samantha Green
Samantha Green, Esq., is eDiscovery counsel at DTI, where she advises clients and speaks on litigation readiness, discovery process design and validation, data preservation, collection, processing, review and production and the management of complex litigation discovery matters. Prior to joining DTI, Green was the eDiscovery attorney at Blank Rome LLP. Before that, Green was an associate at the law firm of Moses & Singer LLP in New York. Green is a member of the New York Bar.

Check Also

ransomware

Anatomy of a Law Firm Ransomware Attack, Part I

Ransomware is what keeps IT people up at night. It is malware on steroids.