Data breaches are on the rise: There was a 20% increase in data breaches from 2022 to 2023, according to a report from the Harvard Business Review, with victims often counted in the millions for each incursion. But this year’s total will eclipse those of previous years because of a single data breach revealed when a proposed class action lawsuit was filed a week ago.

The lawsuit says that a database of confidential information for nearly three billion people was stolen from National Public Data (NPD), a background check company headquartered in Florida. NPD scrapes data from non-public sources, which means those people on the list likely did not know their information was available from NPD and did not give their consent to share this data.  The database included full names, former and current addresses and Social Security numbers along with related family members. 

A criminal gang called USDoD posted the database entitled “National Public Data” on a Dark Web hacker forum called “Breached.” The price for this list? – $3.5 million. At this time, NPD has not confirmed a cyberattack and has not notified anyone in their database of a breach.

Companies are required to notify affected customers after data breaches in the U.S. Laws regarding notification are up to the states and therefore vary. In general, breach notification laws say what information a company must provide to customers, such as how the breach happened, what information was taken, how the data was used, what the company has done to mitigate the loss, how a company will protect individuals like offering free credit monitoring and how additional information can be obtained when it becomes available.

In Utah, the Protection of Personal Information Act requires businesses to protect personal data from being misused or disclosed. If a company discovers a data breach involving Utah residents, it must investigate to see if the information has been or might be misused. If so, the company must notify all affected Utah residents. Note there is no time limit for notification. However, it the data breach affects 500 or more people, the company must notify the Utah Attorney General’s Office and the Utah Cyber Center within five days from discovery. 

Delayed notification to customers is a common practice because companies want to gather all of the breach information, secure their systems and avoid public repercussions. Identifying a breach can take months, while fixing it often takes even longer. Notifications to customers may not go out until a year or more after a breach is identified, according to research by IBM.

With the exception of a request by law enforcement, there is no good reason to wait. Even if a company does not know all of the details of a breach, its customers may appreciate an earlier opportunity to secure their accounts – a “better safe than sorry” mentality. It’s time to follow in Colorado’s footsteps and add a deadline for notification, which is 30 days in the neighboring state.

If you are part of a data breach, you should take the following steps. But first, run a check to see if your email has appeared in any data breaches. Go to https://haveibeenpwned.com/ and enter your email address. If your account has been part of one or more data breaches, you’ll see the list and details on what types of data were stolen. These go back 10 years or more, so don’t be surprised if you get a positive result.

For new breaches, change the password of the account affected by the breach. If you’ve used that password elsewhere, change those as well. Check your accounts for two-factor authentication and turn it on wherever it is available. With it activated, you will receive a one-time code to your phone that you’ll enter along with your password. This prevents unauthorized use of passwords because the person trying to access the account must have your phone – an unlikely scenario.

If stolen data includes financial account information, Social Security numbers and the like, you’ll want to be aware of the possibility of identity theft. Check your credit reports and look for any unusual activity. Do the same with your bank accounts. File your taxes as early as you can in case someone tries to impersonate you. If you spot a problem, contact your bank and the credit institutions. You’ll need to freeze your credit and apply for a new credit card number, and you may need to close accounts. Victims of identity theft can report the crime at identitytheft.gov.

Leslie Meredith has been writing about technology for more than a decade. As a mom of four, value, usefulness, and online safety take priority. Have a question? Email Leslie at asklesliemeredith@gmail.com.

Newsletter