By Sonya Sellmeyer, Consumer Advocacy Officer for the Iowa Insurance Division

A data breach is an incident where sensitive or confidential information is illegally obtained by an unauthorized third party, either by accident or intentionally.  The information obtained may be social security numbers, dates of birth, bank account numbers, health information, etc. The information is sold to scammers or made available publicly, and may lead to identity theft or financial loss.

According to the Identity Theft Resource Center (ITRC), there were 1,802 data compromises in 2022 totaling 422 million victims. Most data breaches occur electronically, but may also happen physically, via a skimmer, or by word of mouth.  A recent example of a mass data breach is the MOVEit breach that has affected a wide variety of businesses and the health data of roughly 8 million people.

Consumers can protect their information by not volunteering more information than is required, and contacting each of the three credit bureaus to review their credit report annually and to freeze their credit.  Freezing your credit is free and simple to do.

When a data breach happens many companies will alert their customers.  Under the Iowa Insurance Data Security Act, also known as the Cybersecurity Act, most licensed Iowa insurance companies are required to report data breaches to the Iowa Insurance Division no later than three business days from the date of the confirmation of a cybersecurity event.  In addition, Iowa-domiciled insurance companies must develop, implement, and maintain a security program.

If you receive a data breach notice read the notice carefully.  The company may offer free credit monitoring services, which is an alert if someone tries to open a new line of credit in your name.  Also, alert any banks, credit unions or credit card companies attached to the account.   Be cautious of callers claiming to be from the company where the breach occurred, as companies usually don’t call consumers about a breach.  If the caller is asking for information the company should already have, or requesting money to protect your information, hang up, it is a scam.  If you have any questions about a breach, always call the company at a known phone number.

You may use the website have I been pwned? to determine if you have been the victim of a breach. By entering your email, the website will show you the data breaches where your email has been found.  The website also recommends using strong and different passwords for websites, using two-factor authentication, and subscribing to their notifications so you are alerted when your email appears in a breach.

If you have been the victim of identity theft, you may put fraud alerts on your accounts with the three credit bureaus so they verify your identity before issuing credit.

Data breaches may be out of your control, but limiting the information provided to a company, reviewing your annual credit reports, freezing your credit, using strong and unique passwords, and using two factor authentication may help protect your personal information when a breach occurs.