How many notices of data breach letters have you received in the mail?
And by the time you get the letter, are you able to take action to protect your information?
Is the government helping to protect you?
NBC Responds and Telemundo Responde reporters working around the country have teamed up to investigate.
Get top local stories in Connecticut delivered to you every morning. >Sign up for NBC Connecticut's News Headlines newsletter.
Here in our state, 1,478 businesses reported experiencing a data breach that impacted Connecticut residents in 2022 and 1,790 were reported in 2023.
NBC CT Responds requested these records from the state.
“If we could wave our magic wand, we would like to see federal legislation. We would like to see minimum, uniform, enforceable standards,” said Eva Velasquez, the president and CEO of the Identity Theft Resource Center, or ITRC.
NBC CT Responds
Velasquez said as the ITRC is seeing more cyberattacks, impacted consumers are getting less information from companies about what caused it.
“The more we leave out and don’t inform, the less ready we are to mitigate any upcoming risk,” Velasquez said.
NBC Responds and Telemundo Responde reporters have learned from experts that detecting and investigating a breach can take time.
“And that number is reportedly still over 200 days and then it takes on average 70 to 75 days for it to be actually reported,” said Michael Bruemmer, vice president of global data breach resolution and consumer protection at Experian.
But the ITRC said if the delay in disclosing is a fear of impacting the company’s stock or quarterly profits, then that’s a problem.
“Virtually everybody's been a victim of a data breach or being hacked. And if you haven't, it's just a matter of time,” Sen. Mark Warner (D-VA) said.
Warner introduced a bill in 2021 that called for the faster reporting of data breaches.
“I think the reporting needs to be done literally in days, not weeks, or years,” he said.
The Cybersecurity and Infrastructure Agency is currently creating reporting regulations based on his push for change.
“Waiting for Congress to act on all this means we'll be waiting for a long time,” Attorney General William Tong (D-CT) said.
But our state’s attorney general said you shouldn’t hold your breath for a federal data privacy law.
Connecticut requires companies with customers in our state to notify consumers within 60 days of discovering a breach.
NBC CT Responds Caitlin Burchill asked, “Is that working here? Is that helping?”
“Not well enough. I'll be honest, we're concerned about how fast companies are reporting. They know they have an obligation report,” Tong said.
As an example, Change Healthcare sent out a notice about a data breach on Aug. 5 - for a discovery that a cybercriminal copied patient data from its computer system in March.
That’s a warning five months later.
The CT Attorney General’s Office continues to investigate.
“The law gives me a big hammer, and that's the message we're trying to send,” Tong said about companies that don’t follow Connecticut’s notification law.
Change tells NBC CT Responds, “We continue to notify potentially impacted individuals as quickly as possible, on a rolling basis, given the volume and complexity of the data involved and the investigation is still in its final stages.”
While the ITRC said reported data breaches are slightly down this year, “At some point, they will need a data refresh,” Velasquez said of bad actors who steal and sell data.
So, be proactive. Freeze your credit. Change your passwords. Question why certain companies need certain personal info from you.
Don’t ignore the litany of letters you may receive.
If you’re impacted, accept credit monitoring offers.