What to do if you receive a data breach notification letter?

Before you take action, first understand why you received the letter

Thanks to an alarmingly large number of corporate data breaches in recent years, combined with stronger federal and state privacy laws, it’s becoming more and more common to receive a breach notification letter by mail. In fact, the Identity Theft Resource Center reports that 1.36 million data breach victim notices were sent in the U.S. in 2024.

These letters provide details about the breach and the type of personal information that may have been exposed; they may even include some general advice about fraud prevention. But they don’t typically explain the real risks you face or provide you with a customized plan of action.

So what should you do if you’ve been affected by a data breach? The answer depends on two things: what type of organization experienced the breach, and what kind of information was exposed.

This article will help to answer these questions and identify the steps you can take to minimize your personal risk. (If you’re an IDX member, note that our team of fraud and identity recovery experts will personally assist you in understanding your breach notification letter and in managing your response.)

Data breach: A definition

According to the National Association of Attorneys General, a data breach can be defined as “the unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.” Personal information can include:

• Name
• Social Security number or tax ID number
• Driver’s license number or state-issued ID number
• Account number
• Credit or debit card number
• Security or access code
• PINs and passwords
• Medical history or health information
• Biometric information
• Email address

While a breach notification letter may tell you what personal information was potentially exposed in a breach, you might not be getting the full picture. Businesses, wary of bad press and legal liability, typically don’t give out any more information than they have to. (Breach notification requirements vary from industry to industry and state to state.) Also, because privacy laws in recent years have established faster deadlines for breach notification, new information often comes to light weeks or even months after a breach letter is sent.

You might even hear about a data breach in the news before you receive a notification letter. If so, the news report may include a web address where you can go to find out whether your information has been exposed. Your best bet is to keep checking the news as the story develops. In the meantime, use the breach notification letter or news reports as a starting point for your defense plan.

Make a list of all the information you may have shared with the organization. Ask yourself:

• Where else do you use the same username and password that might give criminals access to other accounts?
• Does the organization use your Social Security number as an ID?
• Do you use your email address as a username?
• What credit cards or account numbers have you given them for payments or deposits?
• Are they storing your health data or tracking your travels?
• Do they have an archive of your personal communications or photos that you might not want to be made public?

All of this information could be used to hijack your identity or be weaponized against you in other ways. By knowing exactly what information may have been exposed, you can take steps to mitigate harm. For example, you can change passwords on other accounts that use the same credentials, or activate a fraud alert on your credit profile.

The personal information exposed in a data breach typically falls into three broad categories. Take a look at your list of shared information and sort it as follows:

• Financial information—information tied to things like credit cards or bank or brokerage accounts; money market funds; loans or lines of credit; Social Security numbers tied to retirement benefits, taxes, and refunds; and veterans (VA) benefits.
• Medical information—including health plan numbers and member IDs for private insurance or Medicare/Medicaid, as well as information about medical conditions and treatment.
• Other personal information—including personal details which may not be protected by privacy laws but which might be used to con, coerce, or embarrass a breach victim. Such information can also be used in phishing attempts to scam you, your family, friends, or work colleagues into giving up personal information.

Now you can begin monitoring these areas for suspicious activity and signs of identity theft.

The best defense: Be proactive about your protecting your identity and your privacy

While you can’t prevent data breaches from happening, you can help keep criminals from using breached information. Remember to stay on alert for news of breaches; be prepared to protect your identity; and watch for signs of identity theft so you can stop the crime in progress and limit the damage.

You can also be proactive about guarding your privacy. If your personal information has been compromised in a data breach, one of the best ways to protect yourself against identity theft is through identity and privacy coverage such as IDX’s Complete Plan. Along with advanced tools and services built to defend against cyberthreats, the plan includes $1 million in identity theft insurance, continuous monitoring of your credit report and credit score, and access to IDX’s expert care team, who work to ensure your identity and reputation are fully restored.

Getting a data breach notification letter can be a stressful moment. But by following these steps to plan and organize against the worst-case scenario, you can start to take back your privacy.