Office of the Utah State Auditor

Office of the
State Auditor

Navigation

Privacy Alert 24-03

Date: October 16, 2024

Subject: Mitigating Efforts in the Aftermath of Data Breaches

Introduction

The State Privacy Office received reports of a case in which Utah data breach victims were offered free credit monitoring, but if they accepted, they were automatically enrolled in marketing programs and their information was shared with other companies. Additionally, we have observed the automatic enrollment of victims in payment renewals by default once the free period expires. Opting out of or limiting such practices was burdensome and unclear, leaving victims with little control over their data in the aftermath of a breach.

Why is this a problem?

State Privacy Officer Recommendations:

Conclusion

Credit monitoring should assist individuals without causing additional risks. By prioritizing privacy by default and design, allowing individuals to control how their data is used, and requiring the same of the vendors they work with, governmental entities can offer better support and reduce the likelihood of future incidents. For further guidance and targeted training, please contact the State Privacy Officer.