It has happened again. Another data breach in the headlines. This time, instead of thousands or even millions, initial reports about the latest Yahoo breach indicate a potentially record-setting 1 billion people affected. Perhaps most concerning is that it apparently took three years to discover and report the breach. In these “legacy breaches,” cyber thieves have months, sometimes years, to use compromised data – such as email addresses, passwords and dates of birth – to perpetuate additional breaches, potentially leading to identity theft and other harm to finances and reputations.
What does this mean for people and businesses in Tennessee? Unfortunately, it’s probably too late to protect yourself from any fallout from this latest reported Yahoo breach. These reports, however, remind us of the need to take proactive measures to protect ourselves and our personally identifiable information. For businesses, it should serve as a reminder to reassess their security measures and their ability to respond to a data breach.
Like almost every state, Tennessee has a data breach notification law that requires businesses to notify customers of a breach of their personally identifiable information, such as Social Security numbers, driver license numbers and financial account information. New revisions to the law this year impose higher standards on businesses affected by data breaches.
Businesses and government agencies must now notify Tennessee residents affected by breaches of certain information no later than 45 days after discovering a breach. Without a plan to respond, complying with this new requirement may be difficult. If you’re not sure how well your business would respond to a data breach, consider consulting a professional – preferably before, not after, a breach affects your company.
While businesses may be required to promptly notify customers when they discover breaches, cyber thieves can do significant harm with stolen information in a matter of hours. As the time between the breach and discovery widens, breach notices become increasingly useless in protecting customers from potential harm.
Proactively change your password three or four times a year instead of waiting to get a notification that an account may have been compromised. Use strong passwords, and don’t use the same password for multiple accounts. Many email providers and other online services now are offering two-factor authentication (2FA), which significantly increases security. If you are not using 2FA, see if this added security measure is offered by your provider or service.
Likewise, make a habit to regularly monitor financial statements and online account activity. With the increasing proliferation of medical identity theft, it is also a good idea to keep an eye on health insurance account statements, explanations of benefits and medical bills for any unusual activity. Waiting until you receive a notification of a breach to take such actions may be too late.
Besides account maintenance and monitoring, other habits may be helpful in reducing your risk of exposing your personal data. Be mindful of sensitive information contained in emails. As we have recently witnessed during this past election, emails are not as private as we may all want to believe. Know where your emails are stored, and to help minimize your online footprint, consider closing old email accounts you infrequently use.
Consider which security questions and answers you choose for verifying your identity to reset your password or log on from an unrecognized device – and change them routinely. For instance, if you use the security question “What is your hometown?” and your answer is “Knoxville,” consider a more obscure question.
Every year, the number of data breaches grow. As the time between when a breach happens and when it is discovered widens, relying on notifications before taking action is an increasingly ineffective way of protecting your private information. Instead, get in the habit of taking proactive, routine measures to protect yourself in 2017 and beyond.
See the article in the Knoxville News Sentinel.
Mr. Joy has a variety of experience in various general civil litigation matters including business and commercial litigation, insurance coverage disputes, healthcare liability defense, medical device liability defense, personal injury and business torts. He also represents media organizations and journalists in defamation actions and other matters. Mr. Joy has been involved in a number of jury trials to verdict. Mr. Joy also provides counsel to clients in the area of information privacy and cybersecurity including security incident investigation, security awareness and policy drafting, cyber risk management including insurance policy coverage consultation and breach response management. Specifically in the area of healthcare, Mr. Joy counsels covered entities on a variety of matters pertaining to HIPAA Privacy Rule, Security Rule, and Breach Notification Rule compliance.
Mr. Joy has earned the Certified Information Privacy Professional/United States (CIPP/US) credential through the International Association of Privacy Professionals (IAPP).