Report: Data Breach Notices Lack Key Details, Enable Identity Theft ‘Scamdemic’
Last updated February 2, 2023
There’s a good chance you received a data breach notice last year—possibly more than one. Unfortunately, hackers continue to be very successful at breaking into corporate computers.
Listen to audio highlights of the story below:
Last year, breaches victimized Americans more than 422 million times last year, an increase of almost 42 percent from 2021, according to the non-profit Identity Theft Resource Center (ITRC).
The personally identifiable information (PII) compromised in these attacks often included everything identity thieves would need to impersonate you, including Social Security number, bank account numbers, birthdate, driver’s license number, age, and current home address.
All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, have laws requiring private businesses, and in most jurisdictions, governmental entities, to notify individuals of security breaches that involve PII, according to the National Conference of State Legislatures (NCSL).
Only a few states require companies or government agencies to include specific information in their breach notifications, such as the approximate date of the breach, a brief description of the personal information obtained in the breach, and a general description of what happened, if that can be determined.
For example, New York state law requires a breach notice to include “a description of the categories of information that were, or are reasonably believed to have been, accessed or acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so accessed or acquired.”
More Info: NCSL has a list of security breach notification laws on its website
In its annual report on data breaches, the ITRC found a troubling trend: Last year, only 34 percent of breach notices included details about what was obtained from attacks, the lowest number in five years, down from a high of 72 percent in 2019.
“In other words, the information individuals and businesses needed to determine the risk to their identity information after a compromise was not included in approximately two-thirds of all public breach notices,” said ITRC CEO, Eva Velasquez.
As a result, “individuals are largely unable to protect themselves from the harmful effects of data compromises,” Velazquez said, “fueling an epidemic—a ‘scamdemic’— of identity fraud committed with compromised or stolen information.”
Knowing what data was compromised is critical to formulating a risk minimization or recovery plan, Velasquez told Checkbook.
“The steps you take when your Social Security number has been breached are very different than the first steps that you take if a username and password or login credentials have been breached,” she said. “Without that key information going out to consumers, you're really leaving them in the dark as to how to protect themselves.”
The ITRC contends that compromised businesses are making “a conscious decision to withhold information.” In its report, it singles out Samsung, DoorDash, and LastPass, which all had breaches last year, for deciding to include “limited or no detail about what happened and who was impacted in their state-mandated breach notice.”
Consumer advocates, including the ITRC, have been calling on Congress to pass a federal data breach law that would, among other things, require all data breach notices to include the types of data that were compromised. Sen. Dianne Feinstein (D-CA) introduced the Data Breach Notification Act back in 2009. It never came up for a vote, and Congress has not shown any interest in considering such legislation.
From Checkbook: How to protect yourself from identity and cyber theft
Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He has been protecting consumers for more than 40 years, having covered the consumer beat for CBS News, The Today Show, and NBCNews.com. You can also find him on Facebook, Twitter, and at ConsumerMan.com.