How many “notice of data breach” letters have you received in the mail?
By the time you get the letter, do you have time to protect your information?
Is the government helping to protect you?
NBC Responds and Telemundo Responde reporters working around the country have teamed up to investigate.
Get top local stories in San Diego delivered to you every morning. >Sign up for NBC San Diego's News Headlines newsletter.
San Diego County families have dealt with their share of data breaches and the trouble they cause. That includes Donald Levine, who says a $20,000 loan was taken out in his name without him knowing about it until it went into default.
“My information was compromised almost a year earlier in 2021,” Levine said.
“I would have people calling me at all times of the night and day, trying to get money that I didn’t owe,” the attorney told us.
NBC 7 Responds
It took him hours and hours of research, phone calls, and filling out documents to prove he had nothing to do with the loan.
“They put the burden on me to prove it wasn’t me. But what if I couldn’t convince them?” Levine said.
It’s a burden shared by an increasing number of people nationwide. The total number of data breach complaints to the Consumer Financial Protection Bureau saw a huge jump from 2021 to 2022. Complaints from California residents more than doubled in that time.
“You have millions, frankly, millions of people who are victims of identity crimes every single year,” said Eva Velasquez, President of the Identity Theft Resource Center.
The ITRCs annual data breach report shows that in 2023, 30% of victims reported their data was misused by someone else. So far in 2024, that number has risen to 52%.
Velasquez said the problem is not just how many more notices are coming each year, but what’s missing from them.
“Two, three years ago, we started seeing this trend of less and less information on these letters,” Velasquez said.
The ITRC says in 2021, 100% of data breach notices included information as to what happened, what information was compromised, and how many people were affected. They say, ever since, the transparency has gone down significantly and currently stands at just 7%.
“This is critical information," Velsaquez said. “And the more we leave out and don't inform the impacted consumers and similarly situated businesses, the less ready we are to mitigate any upcoming risk.”
The ITRC has been sounding the alarm in Congress as well.
“The average number of notices in the U.S. is nine per day. In the E.U., one of the things they get right, 335 every day,” James E. Lee, COO of the ITRC testified in May. “We are missing data breach notices and there are plenty of examples to prove that.”
Right now, federal law allows companies to decide when they’ll send out a data breach notice.
“We're really not incentivizing businesses to do what's in the best interest of consumers. We're incentivizing them to do what's in their own best interest,” Velasquez said.
“Sometimes people are afraid to report because they are afraid of liability,” said U.S. Senator Mark Warner from Virginia.
Warner, who is Chairman of the Senate Intelligence Committee, says he agrees with the ITRCs concerns. He introduced the Cybersecurity Notification Act of 2021 which called for quick reporting of data breaches. Many of the same goals in his bill were rolled into broader cybersecurity measures that were signed into law in 2022.
“There are reporting requirements in certain domains like finance, our banks, our utilities,” Warner said.
The ITRC says reporting requirements to a federal agency is a step in the right direction, but reporting data breaches directly to consumers is missing from the conversation.
“If we could wave our magic wand, we would love to see federal legislation, we would love to see minimum, enforceable standards,” Velasquez said.
Connecticut Attorney General William Tong is co-chair of the Cybersecurity Committee for the National Association of Attorneys General.
“Waiting for Congress to act on all this means we'll be waiting for a long time,” Tong said.
“When you have bad actors out there hacking and taking our personal information and maybe there are companies and corporations that aren't doing enough, then it falls on me and my fellow attorneys general to go after them and make them do the right thing, right?”
Every state has data breach laws in place. But only some mandate how quickly a company must notify consumers. In Connecticut, it’s 60 days. In Florida, it’s 30.
Here in California, there is no set number of days. Our law says “The disclosure shall be made in the most expedient time possible and without unreasonable delay.” But the law doesn’t define an “expedient time” or when a delay is “unreasonable.”
California does require data breach notices to include what happened, what information was involved, what’s being done about it, what the customer can do, and a ‘for more information’ option. However, experts fear not all companies are playing by state rules.
“The longer we wait to address this issue, the further behind we’re going to be,” Velasquez said.
There’s a pressing need to speed up data breach notices because hackers can quickly capitalize on our stolen data -- namely, our passwords. Sometimes thieves only need to steal one password to steal our identities.
“It’s scary,” said David Henry from NETGEAR. The router company recently surveyed more than 2,000 people and found that 67% of respondents are using the same password on multiple accounts.
“All it takes is one of those companies, maybe the startup that went out of business, one of those companies to get breached. Well, that password is now on the dark web,” said Henry.
What can consumers do?
So what can you do? Two things.
Step one - turn on 2FA or two-factor authentication. That’s the security option that sends a code or a push alert to your phone when anyone tries to log in.
Step two - make your passwords stronger – and longer.
“Long enough that it’s got lower case, capital, a number, and a special symbol like a dollar sign or an exclamation point,” Henry told us.
And just in case your data ends up on the dark web, make sure your credit reports are frozen. That will prevent anyone with your personal information from opening any new accounts in your name.