On August 10, 2022, NAF, Inc. reported a data breach with the various state attorney generals’ offices. While these filings do not indicate which type of information was compromised as a result of the incident, based on state data breach reporting requirements, it is likely that the incident affected one or more of the following: Social Security numbers, protected health information, or financial account information. After confirming the breach and identifying all affected parties, NAF began sending out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the NAF data breach, please see our recent piece on the topic here.

What We Know About the NAF Data Breach

The information about the NAF, Inc. data breach comes from an official filing with the office of the Vermont Attorney General. According to the most current information, on March 30, 2022, NAF detected unusual activity within its computer network. In response, the organization secured its systems and contacted outside cybersecurity professionals to assist with the company’s investigation.

The NAF investigation confirmed that an unauthorized party gained access to the company’s computer network on March 19, 2022, which lasted until the company discovered the breach on March 30, 2022. The investigation also revealed that the unauthorized party had access to files on the NAF system that potentially contained sensitive consumer information.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, NAF began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. In the organization's most recent filings, it does not disclose the data elements that were compromised as a result of the breach. However, because organizations only need to report incidents that affect highly sensitive and personal information, there is a reasonable probability that the NAF data breach involved individuals’ names and one or more of the following data types:

• Social Security numbers,

• Financial account information, or

• Protected health information.

On August 10, 2022, NAF sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About NAF, Inc.

Founded in 1980, NAF, Inc. is a national network of education, business, and community leaders working to ensure high school students are college, career, and future ready. The organization focuses on partnering with high-need communities to improve outcomes for students by implementing NAF academies, which are small learning communities within existing high schools. NAF has created and operates hundreds of academies across the United States, focusing on growing industries such as finance, hospitality & tourism, information technology, engineering, and health sciences. In 2020-2021, more than 117,000 students attended NAF academies across 34 states. NAF employs more than 52 people and generates approximately $17 million in annual revenue.

Protecting Yourself from Identity Theft in the Wake of a Data Breach

For many who have never experienced identity theft, the harms of a data breach may not seem all that bad. However, in reality, once a hacker uses your information to steal your identity or commit other frauds in your name, resolving the situation can be time-consuming, stressful and costly. In fact, according to some estimates, it costs the average data breach victim more than $1,300 to resolve a case of identity theft and takes up to 200 hours to do so. This is hardly a minor inconvenience.

After a hacker obtains your information in a data breach, they typically act quickly, opening up new accounts in your name or filing a tax return on your behalf to obtain your tax refund. If you receive notice of the breach in a timely manner, however, it may give you the chance to reduce the risk of fraud by taking certain steps to protect yourself. Below are some of the most important steps to take after any data breach. Of course, depending on the type of information that was leaked, you may need to take additional action,

• Review the data breach letter to identify what information was leaked;

• Report the breach to your banks and credit card companies;

• Close any bank accounts or credit card accounts if your account numbers were compromised;

• Enroll in free credit monitoring, which is usually provided by the company that leaked your information;

• Contact a credit bureau to place a fraud alert or credit freeze on your credit account; and

• Keep a close eye on your bank and credit card accounts for any signs of fraudulent activity.

By taking these steps, you can greatly reduce the chance of falling victim to identity theft or other frauds.

Of course, the burden to prevent identity theft should fall on victims’ shoulders. And sometimes, despite taking all available precautions, victims of a data breach still experience identity theft. In these situations, it is important that you understand their rights. The United States data breach laws allow victims to bring a data breach class action lawsuit against a company that negligently leaked their information. However, these cases are complex, and those with questions about what to do after a data breach or what rights they have against a company should reach out to a data breach lawyer.