Privacy Alert 24-03
Date: October 16, 2024
Subject: Mitigating Efforts in the Aftermath of Data Breaches
Introduction
The State Privacy Office received reports of a case in which Utah data breach victims were offered free credit monitoring, but if they accepted, they were automatically enrolled in marketing programs and their information was shared with other companies. Additionally, we have observed the automatic enrollment of victims in payment renewals by default once the free period expires. Opting out of or limiting such practices was burdensome and unclear, leaving victims with little control over their data in the aftermath of a breach.
Why is this a problem?
- Loss of Control: Victims may unknowingly allow their data to be widely shared, losing further control over how it is used, and struggling to opt out on account of the process being too challenging.
- Higher Risk of Future Breaches: More data disclosures increases the chances of further exposure.
- Unwanted Marketing: Automatically enrolling victims in marketing and paid programs exploits individuals in a vulnerable situation. This practice adds risks and stress for those already affected by a data breach, making them more likely to make decisions they would not otherwise make.
State Privacy Officer Recommendations:
- Provide guidance: Advise your employees and the population you serve to limit data sharing when enrolling and to opt out of marketing and auto-renewals of payments where possible.
- Stay Informed: Encourage individuals to contact service providers to understand how their data will be used and read privacy policies before accepting terms.
- Work with Vendors: Request that vendors automatically limit commercial data sharing for victims of data breach by default and disable payment auto-renewals. Include this requirement in contracts with respective third parties to follow the “privacy by design and default” principle.
- Enhance Clarity: Ensure individuals are provided notices in simple language about their data usage and how to control it, with clear instructions on how to opt out of their data being shared where vendors did not meet your requirements to automatically limit data sharing by default.
Conclusion
Credit monitoring should assist individuals without causing additional risks. By prioritizing privacy by default and design, allowing individuals to control how their data is used, and requiring the same of the vendors they work with, governmental entities can offer better support and reduce the likelihood of future incidents. For further guidance and targeted training, please contact the State Privacy Officer.