Personal data of over 50 million consumers fell into the hands of cybercriminals in August as T-Mobile, a leader in the telecommunications industry, experienced a massive data breach. The compromised personal information includes names, driver’s license numbers, Social Security Numbers and device identification (IMEI and IMSI) numbers for subscribers, former customers and prospective customers of T-Mobile. Just about anyone who has given their information to T-Mobile could be affected by this breach. This breach has led to an investigation by the Federal Communications Commission (FCC), and some members of Congress are calling for increased privacy regulations to discourage organizations from engaging in improper data handling procedures and to punish those who fail to protect consumer data.

T-Mobile’s Response

According to the company’s CEO, Mike Sievert, the breach, which also included a breach of Metro by T-Mobile, did not expose any customer financial information such as credit card information, debit or other payment information, and “there is no ongoing risk to customer data from this breach.” The wireless carrier is also now offering free identity theft protection, advanced spam-blocking, and an Account Takeover Protection service to better protect its customers’ information. Moreover, the telecommunication company has formed long-term partnerships with Mandiant and KPMG for more cybersecurity expertise and has reset PINS for all prepaid customer accounts after the exposure.

Data Breach Lawsuits Rolling In

Despite T-Mobile’s post-breach efforts to mitigate the damage, consumers impacted by the data breach are not happy. The mobile carrier now faces at least two class action lawsuits for the security incident. Both lawsuits, one filed in Georgia and another filed in Washington federal court, accused T-Mobile of violating the Federal Trade Commission Act by being negligent with the private information of millions and allowing it to be compromised by cybercriminals. Although the Georgia suit does not state an amount of monetary damages sought, the Washington complaint intends to seek “damages of no less than $100 and up to $750 per customer record subject to the data breach” for class members from California under the state’s data privacy laws. For class members outside of California, the Washington suit requests that the court “increase the damages awarded for each class member by three times the actual damages sustained not to exceed $25,000 per class member.” The Washington class also requested that T-Mobile return to the customers any amount of their monthly payments that went or should have gone to cybersecurity and data protection. And, with over 50 million customer accounts being affected, the financial consequences of these lawsuits could be crippling for T-Mobile.

How Your Company Can Better Prepare for a Cybersecurity Incident

The ramifications of the T-Mobile data breach were catastrophic because the company did not implement proper data handling procedures, and it was not adequately prepared for a cyberattack. For instance, some reports have said that this cybersecurity incident involves data that dates back to the 1990s, which suggests that T-Mobile has been storing unnecessary data on outdated systems. This is a prime example of what business should not do when it comes to data processing and data storage. Instead, as a best practice, companies should engage in data minimization and delete data that is obsolete or is no longer needed. Doing so will allow your organization to have a better understanding of what data it has in its systems. When a company loses track of the data it has collected, it ends up with old information that is stored on outdated systems and cannot be patched for vulnerabilities. Organizations that engage in this improper practice are more susceptible to cyber incidents. Implementing appropriate cybersecurity procedures that are compliant with applicable data privacy laws can prepare your organization for anticipated data breaches and allow it to avoid hefty lawsuits similar to those currently filed against T-Mobile. You should consult with professionals experienced in cybersecurity and data privacy regulations to proactively advance your organization’s policies and procedures pertaining to cybersecurity and data protection. Doing so will limit your organization’s exposure to the burdensome risks and liabilities that can result from a cybersecurity incident.

How Consumers Can Secure Their Information After a Data Breach

Although businesses that process consumer data should be responsible for safeguarding their customers’ private information, consumers should also be aware of steps that they can take themselves to secure their information after their data has been compromised due to a company’s failure to implement effective security policies and procedures. The following points outline several of those steps.

1. Freeze Your Credit With All Three Bureaus

  • If your personal information has been exposed as a result of a data breach, one of the first things you should do is put a freeze on your credit card associated with the compromised account. Doing so will prevent anyone with your information from opening a line of credit, or taking out any loans under your name. To freeze your account, all you need to do is complete a form with Equifax, Experian and Transunion to make the request.

2. Use a Credit Monitoring Service

  • Staying informed of what is on your credit report is an easy way to make sure that your information is not being used without your knowledge or consent. Some companies may even offer free credit monitoring to victims of a data breach. For instance, T-Mobile is offering two years of McAfee’s ID Theft Protection Service for free to those affected by this latest breach.

3. Sign Up for Identity-Theft Monitoring

  • Monitoring your credit report is an important step to take, but there is more that can be done with your personal information than just unauthorized credit charges. Identity-monitoring services will monitor the dark web for parties selling or trading your personal information and for arrests made under your name.

4. Utilize a Password Manager

  • Using a unique and strong password for every online account you control is a good way to make sure a breach of one account does not lead to cybercriminals compromising more of your online accounts where you used the same password. Instead of reusing a password or series of passwords, you can rely on a password manager to create, store and autofill your login information for you.

5. Don’t Wait to Protect Your Personal Data

  • Perhaps the most important aspect of acting after a data breach is announced is to not wait for the compromised party to announce how they intend to respond. Consumers should be proactive in protecting their personal information.

T-Mobile’s latest data breach is another example of why Congress needs to pass national privacy and data security legislation to establish a federal cybersecurity standard. Strong national standards can ensure that industries strengthen their cybersecurity and data privacy practices and keep up with the evolving methods cybercriminals use to steal personal information. In any event, companies can learn from T-Mobile’s cybersecurity pitfalls and respond by assessing their own cybersecurity risks and making company-wide changes to improve their overall approach to cybersecurity.

How Brouse Can Help No organization is immune from experiencing a cybersecurity incident. In fact, it is not a matter of “if” an organization will experience a cybersecurity incident, but rather “when” an organization will experience a cybersecurity incident and “how” well-prepared the organization is in responding to any such incidents. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to assess your organization’s cybersecurity risks and to establish the appropriate policies and practices needed to improve your approach to data protection. We provide proactive solutions for companies to defend against cyber-attacks and a variety of other data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response).