What causes a security breach to occur?
How will I know if a security breach has occurred involving my personal information?
How is personal information defined?
What are the risks involved in a security breach?
What causes a security breach to occur?
Security breaches can be caused by the theft of a laptop computer or electronic device, a hacker who gains access to confidential records or systems, an employee that fails to follow security procedures, or a business that fails to use appropriate security measures to protect sensitive data, among other causes. A few common methods include:
- Computer files containing university student information, including Social Security numbers (SSNs), are hacked.
- A bank's computer back-up tape with customer account data has been lost while being shipped to a storage facility.
- A dishonest healthcare employee has obtained computer files containing patients' records, including SSNs and dates of birth, and may have sold the records to criminals.
- Imposters have established accounts with a large information broker enabling members of an international crime ring to obtain thousands of comprehensive consumer profiles, including SSNs and dates of birth.
- A company laptop has been stolen from the back seat of an employee's car. It contains account data and SSNs on hundreds of thousands of customers.
- For more examples of security breaches, read the Privacy Rights Clearinghouse's chronology of breaches at www.privacyrights.org/ar/ChronDataBreaches.htm.
How will I know if a security breach has occurred involving my personal information?
Indiana’s disclosure law requires data base owners, state agencies, businesses, and organizations that collect and maintain personal information to notify you in the event of a security breach. Upon discovering that a breach has occurred, a business or organization must disclose the breach to each Indiana resident whose personal information was affected.
Under the law, this disclosure must occur “without unreasonable delay.” The notification should provide enough detail so that you can be prepared to protect yourself against identity theft or fraud. Failure to comply with the notification requirement can result in a lawsuit by the Attorney General and an order to pay civil penalties of up to $150,000.00.
Notification can occur by mail, phone, fax, or email, fax, or email. Substitute notice – disclosing the breach on the business website and to major news reporting media in the relevant geographic areas – is permitted if more than 500,000 persons are affected or if the cost of notification would exceed $250,000.00.
How is personal information defined?
“Personal information” is defined by statute to include either your (1) Social Security number; or (2) your name and address, plus any one of the following: driver’s license number; state ID card number, credit card number, or debit card or financial account number in combination with the security code or password that would permit access to the account. SSNs or account numbers that are redacted to show only the last 4 digits do not constitute personal information. Neither does data that is encrypted to render it unreadable.
What are the risks involved in a security breach?
If your personal information falls into the wrong hands, it could be used to open new accounts in your name, drain your existing accounts, or commit some other form of identity theft or fraud against you. A Social Security Number by itself can be used to create a new account in your name, which could result in collection actions and harassment, lawsuits to collect the erroneous debt, inaccurate credit reports that may keep you from getting a car loan or mortgage re-finance, and many other types of monetary damage and frustration.
Identity theft continues to be one of the top consumer complaint categories at the state and federal levels, and the increasing number of persons affected by security breaches is likely a factor in that trend. It’s important that you have timely and accurate information about security breaches that may impact you so that you can act quickly to protect yourself. Delayed notification may lead to further instances of fraud, higher monetary damage amounts, and even the passing of important deadlines that affect your legal rights to recover your money or restore your identity.
