(InvestigateTV) — Millions of Americans have had their personal information exposed via data breaches and companies are supposed to tell them when it happens.
James Lee, president of the Identity Theft Resource Center (ITRC) said his team has noticed a troubling trend with data breach notices nationwide — they often lack specific information about how the attack happened.
“More than two-thirds of data breach notices don’t tell us what happened!” Lee shared.
An ITRC report shows 69% of notices did not include an “attack vector’ — an explanation as to how the attacker gained access to a network or system.
Lee said this lack of transparency makes it harder for people and organizations to defend themselves against future attacks.
“All of this information taken together tells us that there are far more data breaches than we know about,” he shared. “There are far more people being impacted than we know about. And we’re not getting the information we need to protect ourselves and companies are not getting the information they need to be able to protect our data on our behalf.”
This means it is likely that some organizations are not issuing notices, skirting accountability.
“When we’re talking about data breaches—and data breach notices — those are creatures of state law. Every one of them has a different law with a different trigger and a different definition of what is required to issue a data breach notice,” Lee explained. “But for the most part, we don’t have a system today that protects our privacy, because we don’t have a privacy law on a national level and we don’t have workable data breach laws on the state level.”
He said the country needs stronger laws to reduce breaches and require companies to be more transparent when they happen.
“We need a national privacy law, we need a better data breach notification law and we need organizations to view that as, it’s their duty!” he emphasized. “It’s not just something that they do as a side part of running their business.”
Lee urged business owners to train their employees to spot phishing attempts, have a response plan ready before a breach hits, and never think they’re “too small” to be a target.
“No business is too small to be attacked. You have data??? They want it!” he stressed. “That’s the standard! So, if you have information on your employees or your customers there’s somebody out there in the world that wants that information so they can use it for ill gains.”
Lee said the best defense is to stay alert, protect personal information, and for businesses to make sure their organization and customers are safe.
He also recommended that companies regularly conduct security assessments of third-party vendors, closely monitor their access to data, and require multi-factor authentication across all critical systems.