Consumer

Data breach notification: Why when you're alerted varies by where you live

Maryland law requires a business to notify residents of a data breach within 45 days. In D.C. and Virginia, the law is vague. Here's what we learned and who's seeking change

NBC Universal, Inc.
Data breaches are a growing problem in the U.S. When you find out your info has been compromised depends on where you live. Consumer Reporter Susan Hogan explains.

If it seems like there’s a data breach daily, it’s because there is, with one every 39 seconds in the U.S. These breaches have major consequences.

A consumer we’ll call Stephen says hackers got cash advances from his credit card and drained his frequent flyer account. We’re not using his real name because he’s seen repeated attacks.

“I got so paranoid. I was like, ‘How do they keep getting in?’” he told NBC Bay Area reporter Chris Chmura.

Stephen traced the hack to a thief who impersonated him by using his leaked Social Security number and then called his bank.

More than 353 million people had their personal information stolen in 2023 in more than 3,200 breaches, according to the Identity Theft Resource Center.

By the time we’re notified our data was compromised, it could be weeks or months after a company was hacked, identity theft experts say.

“Currently it’s up to the impacted business to decide if there is potential harm to the people whose data has been compromised. They get to make that decision,” Identity Theft Resource Center CEO Eva Velasquez said.

When it comes to data breach notification, there’s not one standard federal law companies must follow; rather, there are 50 different state laws. It’s up to each state to determine when you find out you’ve been compromised – and sometimes that time frame is unclear.

Maryland law requires a business to notify residents of a data breach within 45 days

In D.C. and Virginia, the notification law is vague. Businesses have to notify you of a breach “without unreasonable delay.” When News4 asked them to define “unreasonable delays,” they never got back to us.

NBC stations across the country found other states’ laws aren’t any clearer.

'We would love to see federal legislation'

Virginia Sen. Mark Warner is working for change by companies.

“Are they all doing enough? Not at all,” he said.

Warner introduced legislation in 2021 that would require quicker reporting from companies that have been hacked.

“I think the reporting needs to be done literally in days, not weeks,” he said.

But that’s only to report data breaches to the federal government, not to you.

Velasquez said her organization is seeking one national law on data breach notification.

“If we could wave our magic wand, we would love to see federal legislation. We would like to see minimum uniform enforceable standards,” she said.

Privacy experts say customers deserve timely notification that their data was compromised, regardless of which state they live in.

Here’s how to protect your personal information

Privacy experts have these tips:

  • Use strong passwords, with different passwords for each account
  • Freeze your credit reports
  • Use two-factor authentication

Sometimes, though, even taking all those measures isn’t enough.

“Before this, I had a credit freeze, I had two-factor, I had complicated passwords, and none of that mattered,” Stephen said.

He told our Bay Area colleagues he believes the identity thieves answered his bank’s security questions easily after they got his breached Social Security number and looked him up online.

Oversharing on social media can give data thieves all the information they need to complete a profile on you. So make sure your privacy settings are set to private, including your GPS settings.

Contact Us