How much does a breach cost me?
A break down of how much it costs you when your information is leaked, by someone who dealt with it.
Have you ever been the victim of IRS tax fraud? Well I have. Twice.
The information required to file your taxes is a name, an address and an SSN. That is pretty amazing if you think about it because, unfortunately, it is not hard to get that information. The recent social media hacks means that if you have used Facebook, Linkedin or Clubhouse, then your name, email and/or phone number are out there. It doesn’t take much to match your name to another list that has your address and another one that has your SSN. This story is about how much it costs you to address a breach of your personal information, not how much it costs a company.
On April 14, 2015, (yes, the day before tax day) I received a refund letter from the IRS stating that my refund was on its way. I showed the letter to my husband and asked, “isn’t this odd?”
It was odd because we hadn’t filed our taxes yet.
I sat on that letter for 1 day, mulling it over. I couldn’t stand it any longer so I decided to do something stupid. I called the IRS. If you have ever called the IRS, especially on tax day, then you know why that is stupid. I spent a very long time on hold. Hours, actually, and was re-routed several times. Finally, a gentleman got on the other side of the phone and told me that we had been the victims of identity theft.
I froze.
I felt violated.
Had the hacker actually gotten the refund? There was no way we could pay them again. Would we still get our refund? What did this mean? What should I do?
It turns out that I had to do a lot of things and that the situation would follow me/ us for years. So I hope my experience and what I did might save you some time or, at least, give you instructions on what to do.
The information required to file your taxes is a name, an address and an SSN
.
The first step was to create an account with one of the 3 big credit rating companies and put a block on my credit. After that, I called my accountant. The very helpful IRS agent told me to do these things. I had to tell my accountant that we were not eligible to use the electronic filing system this year because of the breach. The IRS was going to send me a letter with special instructions. Apparently, we were now in a special category along with 1000s of other hacked people that put us into a super secure IRS system for reporting our taxes.
From my work in privacy, I happened to know that I also needed to file a report with the FTC. I searched the FTC website and found that, in order to log a complaint, you need a police report as proof. So, I headed to my local police station. Clearly not qualified to investigate this incident, the police encouraged me not to file a report.
They said, “a lot of people are complaining about being hacked and there is almost zero chance we will find the perpetrators.”
However, I told them that I needed the report for the FTC claim. That was enough for them to give me a form, which I filled out. The officer behind the front desk officer quickly scanned what I wrote and signed. I went home, scanned it and sent it to the FTC.
A few months later, my husband’s credit card was stolen, twice in quick succession. I extended the block on our credit. I sensed it was related.
The next year, when tax season happened again, we received another letter. We were hacked again. Um, what?
If you recall that special list of hacked victims we were on? Well, that list was hacked. Wash, rinse, repeat. Ugh.
But I haven’t gotten to the best part of this story!
The best part is that I was summoned to an IRS office. Literally, a physical building full of IRS agents! Who knew they even existed anymore, right? When I went in to this non-descriptive building, it had folding chairs as a “waiting room” and cubicles for the agents to sit in. There were signs everywhere that said “no cell phones.”
At the time, I was the General Counsel and VP of Business Affairs of a very hot startup and so not being online was pretty painful. As I sat there in front of the agent’s desk, he sat turned away from me so that he could type and read his computer screen. He did this for about 4 hours and only asked me a handful of questions. Luckily, I had a notebook. I think I wrote a novel (kidding). Anyway, after those 4 hours, he turned to me and said,
“I found it! Did you ever work for a company called XXX?” (keeping the name private because I don’t want to be sued)
“No, my employer used them as a payroll vendor, though.” I replied.
“Well, it appears that they suffered a breach of payroll records and that is how the hackers were able to find your name, address and SSN.”
“Oh.”
Grrr. That information made me angry. Had I ever received a notice of a breach? Nope. In those days, there weren’t any data breach notification laws so, legally, I had no rights.
In reality, I decided that I now had a mission in life: to save every single person in the world from having to go through this kind of situation. I was seething.
We have all read about how much breaches cost companies, but have you ever read about how much a breach costs you? Let’s do the math using this story:
4 hours for the initial call, 1 hour credit monitoring, 1 hour credit card issues, 1 hour police station, 1 hour FTC and 2 hours physically copying, organizing and mailing our tax returns, 4 hours tax IRS office + 2 hours driving. I estimate that there was at least another few hours of going through the process over again for the second hack, although it was not quite as extensive, so let’s round it to about 20 hours.
20 hours times the standard hourly rate of, let’s say $100, and it cost me $2000 in total to address the breach. Multiply that times the number of records reportedly hacked from Facebook (allegedly about 50 million, as disclosed last week) and that equals $100 billion, which would be the total cost absorbed by Facebook’s users.
I’ll leave it at that.
I am a lawyer, which makes me an advocate. Now, I am an advocate for individual privacy rights. In today’s business culture, the burden of any data breach is borne by the individual, even though the fault is not theirs to bear. I aim to change that by improving the system from within.
ClearOPS is my company. ClearOPS is a privacy tech company.
You’re the best, Caroline