The Weekly Breach Breakdown Podcast by ITRC - FOMO - S5E1

Show Transcript

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 5, 2024, and the first episode of our fifth season. Happy New Year! Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we will discuss FOMO – the fear of missing out. Specifically, we will talk about the Attorney General of Michigan, who, like many other people, is frustrated when they learn about a data breach from the news media and not from the company that was attacked. That is what happened in the case of the latest Corewell Health data breach.

The History of Data Breach Laws

The earliest data breach laws were all at the state level of government. There were no requirements to inform any state official, and no federal regulations required notice of a data breach. In the 20 years since the first state law went into effect, 34 states and all of the major federal agencies have imposed a requirement that government officials be notified along with consumers of a data compromise and, in some cases, a cyberattack, even if it does not lead to a data breach. 

Michigan AG Learns of Corewell Health Data Breach from News Reports

However, not in Michigan, where Attorney General Dana Nessel called attention after Christmas to the Corewell Health data breach impacting one million state residents – the second breach at the company in 2023. Nessel learned of the compromise from news reports, not the company involved.

“It’s really frustrating to be the person who is in charge of protecting consumers in the state and having really limited authority to timely respond to data breaches,” Nessel told a Michigan news website. The AG also noted that victims of the Corewell Health data breach whose sensitive information was at risk could have taken steps much earlier to protect themselves if Michigan had stronger notification requirements, including a mandatory notice to her office.

Inadequate Data Breach Laws

You will hear a lot about this topic this year. The ITRC has a long-standing belief that most state data breach laws are inadequate when it comes to protecting victims and reducing data breaches. On January 25, the ITRC will release the full-year data breach report for 2023, and we will explore the need for a uniform data breach notice standard in that report along with an eye-popping number of data compromises reported last year.

Contact the ITRC

If you want to know more about how to protect your business or personal information, the Corewell Health data breach, or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. Be sure to check out our sister podcast, the Fraudian Slip, where we gaze into the future to see what to expect in 2024 regarding all things identity. We will return next week with another episode of the Weekly Breach Breakdown.