What would you do if your personal information was breached?

What protections do people deserve from data breaches?  And how much should those actually affected by a breach receive?  These are topics that are currently being debated in the legislature, in light of the two OPM hacks that compromised the security clearance records of over 20 million federal employees.  Free credit monitoring is often a basic part of an organization’s response plan for its data breach victims, usually lasting a year.  In the case of OPM, the original offered duration of three years was overridden by a recent Senate panel vote to extend that to 10 years for affected workers.

When one raises the question of free monitoring for life, those same Yes voters may become more hesitant.  Such an option was proposed by Representative Steny Hoyer, (D-Maryland), when he claimed, rightly, that there was no expiration date on when cyber thieves could use stolen information in identity theft or some other fraudulent action.  Unfortunately, the unprecedented, exorbitant cost of doling out this benefit is not something Congress could have ever anticipated budgeting for, according to Hoyer.  Meanwhile,amid prompting from the Professional Services Council to protect the 21.5 million victims of the second breach, calling the delay “unacceptable,” OPM has said it won’t have such a protection plan in place until later this month.

On a more positive front for consumers, the Seventh Circuit court’s ruling last month on the Neiman Marcus data breach might make it easier for people to bring class action lawsuits in these cases, which usually get dismissed based on a lack of legal “standing” for the plaintiffs alleging potential financial injury in the future.  Which is not to say success would be guaranteed, since this particular suit could still be defeated “if resolving the claims would require individualized inquiries for each class member.”

Either way, I don’t think it’s too much of a stretch to predict a growing preponderance of these class actions in the near future.  I said last time that this year could easily surpass the previous as the real Year of the Data Breach, and the evidence just keeps piling up: last week, we finally got a bead on the culprits in the United Airlines incident, when, in early June, the world’s second largest airline (and one of the biggest contractors with the U.S. government) discovered an intrusion into its systems.  Now, some investigators are claiming the hackers to be based in China, backed by the government, and also responsible for the OPM and even the earlier Anthem breaches, along with at least seven other organizations.  If true, this would seem to point to China’s intelligence network compiling a substantial database of information.  Think about it.  Healthcare data, security clearance records, and now key component of U.S. infrastructure, airline transportation?  What great resources for tracking the flights of U.S. officials or contractors, causing gridlock, or even blackmailing or recruiting people with the right clearances.

That reminds me, I miss Burn Notice.

Anyway, United has yet to discover precisely what information was taken, as well as making the decision whether to notify customers that their data might be at risk.

If you were a data breach victim in this case, what would you see as the appropriate response?

By: Jonathan Weicher