The Weekly Breach Breakdown: All’s Well that Ends Well – Don’t Ignore A Notice of Data Breach Letter

• It’s standard, if not legally required, for businesses to issue a notice of data breach letter if they were breached. They usually include what information was accessed and offer some form of identity protection, like in the recent T-Mobile data breach notice.
• The same standard applies to data breach settlement letters. There is often some free product or service offered, like in the recent Wawa data breach settlement.
• Don’t ignore a notice of data breach letter or lawsuit settlement letters. You could be leaving valuable protections (credit monitoring, anti-spam services, best practices, etc.) and the occasional compensation (a settlement payment) for your trouble on the table.
• To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC’s) data breach tracking tool, notified.
• If you believe you are the victim of an identity crime or a data breach, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website www.idtheftcenter.org.

All’s Well that Ends Well

Welcome to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown for September 3, 2021. Our podcast is possible thanks to support from Experian. Each week we look at the most recent events and trends related to data security and privacy. Last week we talked about what it takes to file a successful lawsuit after a data breach. This week we look at what to do when your personal information has been exposed and you receive a notice of data breach letter, and later when you get a notice after a data breach lawsuit has been settled.

Shakespeare dispensed a lot of advice in his plays, none more helpful than in Act 1 Scene 1 of All’s Well that Ends Well: “Love all, trust a few, do wrong to none.” Do you know what else is filled with helpful advice? A well-written data breach notice.

Laws Around A Notice of Data Breach Letter

Every U.S. state, territory and the District of Columbia has a law that requires consumers to be notified when their personal information has been compromised. That’s pretty much where the commonality ends. The definition of personal information, the form of a notice, the distribution method, the length of time that can pass before a notice of data breach letter is issued, and the remedies available to impacted consumers are unique to each state.

However, it’s pretty much standard practice, if not legally required by your state, for businesses to disclose in broad terms what information was accessed and to offer some form of identity protection.  There are often other protection tips in the notice, including changing your passwords.

Consumers Ignore Notice of Data Breach Letters

Unfortunately, most people ignore both the notice and the advice. We’ve talked here about recent studies from the University of Michigan and Carnegie Mellon University that show nearly three-quarters of people who receive a notice of data breach letter don’t even know they received it. Only one-third of data breach victims change their passwords (and those who do used a weaker, similar password to the one that was compromised).

Protection Advice & Free Services Offered by Breached Companies is Improving

The recently breached T-Mobile raised the bar by offering not only credit monitoring, but also identity remediation services in the event a customer’s personal information is misused. T-Mobile is also offering free anti-spam services for all impacted customers and account takeover protections for pre-paid customers.

T-Mobile suggests you change your passwords, so you are not using the same password that has been compromised on any other account. Regular listeners to the ITRC podcasts will be familiar with this advice.

Data Breach Lawsuit Settlement Letters Also Offer Free Products

When a notice of data breach letter is issued, it is not the only time breach victims are offered free swag. When breach lawsuits are settled, there is often some free product or service provided. However, victims are usually required to take some action to get the award.

Wawa Data Breach Settlement

That’s the case with the recent settlement of a lawsuit against the east-coast-based convenience store chain Wawa, better known for its deli sandwiches than the 2019 data breach. Of the 22 million people who received settlement letters and are eligible for a settlement payment, those who made a purchase with a debit or credit card during the breach period but did not see evidence of identity fraud will get $5 gift cards. Those who can present proof of actual or attempted fraud will get a $15 gift card. Those who can show evidence they lost money can receive as much as $500 cash.

All claims must be submitted by November 29, 2021. So, the clock’s ticking if you want a free Wawa meatball grinder with extra cheese.

The Key Takeaway

In both of these scenarios, the key takeaway is the same: do not ignore a notice of data breach letter or lawsuit settlement letters. You could be leaving valuable protections and the occasional compensation for your trouble on the table.

Contact the ITRC

If you think you have been the victim of an identity crime or a data breach and you need help figuring out what to do next, you can speak with an ITRC expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Experian for supporting the ITRC and this podcast. Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.