Understanding the lingo

When a data breach occurs, the organization that was hacked will likely be required required by law to notify customers whose information was exposed. They do this in the form of a data breach notification letter. Many of us have received a letter like this. Many have received multiple letters.

Data breach notification letters are meant to explain to consumers what personally identifiable information may have been exposed through the attack, when the attack occurred, what the company is doing to do better to protect customer data, and what services are being offered to victims to help address the harm that could stem from the breach.

Companies are legally required to notify customers, but the letters aren’t always 100% helpful. They can be both complex and vague and leave the consumer confused about what has happened and what to do next. We’ve put together this glossary to help you better understand some of the terminology commonly used in data breach notification letters.


Credit monitoring
Credit report monitoring is the monitoring of one's credit activity and credit history in order to detect suspicious, unauthorized activity. Credit monitoring is the act of checking credit reports, and it may also refer to a service that an individual subscribes to in order to monitor such activity. All consumers are advised to monitor their credit to identify and dispute unauthorized activity, such as activity that might indicate identity fraud has occurred. After a data breach, victims whose information was exposed are often offered free credit monitoring services for a certain period of time.


A cybercriminal is someone who uses computers to illegally gain access to data that does not belong to them for the purpose of causing harm.


Data breach
A data breach is an incident in which an unauthorized person hacks into a company or other institution’s stored data. Hackers breach this sensitive, protected, or confidential data in order to view, steal, and share with or sell it to others. Data breaches may expose records including personally identifiable information (such as Social Security Numbers, dates of birth, email addresses), personal health information, trade secrets, intellectual property or other types of data.


Data security
Data security means protecting data from the unwanted access and actions of unauthorized users.


Encryption is one of the most effective way of data security. Files that are encrypted must be decrypted by a secret key or password in order to be read.


Identity fraud
Identity fraud (also known as ID fraud or ID theft) refers to types of crime in which someone wrongfully uses another person’s personal data fraudulently or deceptively. Identity fraud is typically used for economic gain by the fraudster.


Identity theft monitoring
Identity theft monitoring (also known as identity theft protection, identity protection, and similar terms), unlike credit card monitoring, refers specifically to the paid subscription services of a company hired to safeguard a consumer from identity theft. ID theft protection services help monitor accounts, place fraud alerts or freezes on your credit reports or remove your name from marketing mailing lists. Many people find it to be a convenient service and worth the expense, and it is often offered for free by breached organizations to affected consumers. It’s important to note, however, that most of the services ID theft monitoring companies offer can be done by a consumer on her own for free.


A combination of the terms “malicious” + “software,” malware refers to computer programs that are intended to damage or disable computers and computer systems. Malware can also be used to attack an individual’s computer in order to gain unauthorized access to a computer’s files. Malware is frequently used to hack into large computer systems.


Personally identifiable information
Personally identifiable information (PII) is a legal term used in U.S. privacy law and information security. PII is information that can be used to identify, contact, or locate a single person, or to identify an individual in context. PII is collected by the companies we have relationships with and by the websites we visit. A good website’s privacy policies should specifically address how PII about users is gathered, and lawmakers work to protect our PII.  PII is extremely valuable to hackers and those who intend to commit crimes. PII is accessed through data breaches, and a profitable black market exists where PII is collected, shared, and resold. PII can be used to commit identity fraud and other criminal acts.


Phishing is a form of fraud in which a victim is tricked into providing sensitive personal information by a criminal posing as a legitimate companies. Victims are often reached by an official-looking email that directs them to click on a link or open an attachment. A common tactic to in phishing emails is asking consumers to click on a (fraudulent) link to confirm account information or other sensitive data. Consumers may also receive phishing phone calls or text messages.


Skimming is a type of fraud in which a criminal gains access to the numbers on a legitimate credit card and transfers them onto a duplicate card, which can then be used to illegally make unauthorized charges against the original account (known as “card cloning”). The skimmer does this without the knowledge of the original card holder. In order to “skim” or capture the card information, thieves covertly attach card readers to ATMs, gas pumps, and other places people swipe their credit and debit cards. These readers capture information from a card that is swiped and stored for the criminal to use or sell to others.