After a Data Breach, Your Identity May Never Be Truly Safe
Data breaches have become so common that most people ignore the notification emails. They probably shouldn't — and a new wave of technology is trying to change the math.
Check your inbox. Somewhere in there, there is probably a data breach notification you have not read. Maybe two. The emails follow a predictable pattern — a company logo at the top, a sentence about how they take your privacy seriously, an offer of free credit monitoring for twelve months, and a list of the information that was exposed.
Name. Address. Date of birth. Social Security number. In some cases, the identity documents you submitted when you opened the account.
New Jersey residents received more than 850,000 data breach notifications last year, according to state attorney general filings — roughly one for every ten people in the state. The notifications are so common that consumer advocates now worry people have stopped treating them as the serious warnings they are.
“It’s become background noise,” said Renata Figueiredo, a consumer protection attorney based in Red Bank who has handled identity theft cases for more than fifteen years. “People get the email, they sign up for the credit monitoring, they forget about it. Then two years later, someone opens a credit card in their name in another state.”
Why the Notifications Keep Coming
The frequency of data breaches is not a technology problem in the narrow sense. Security teams at major financial institutions and healthcare providers spend hundreds of millions of dollars annually on encryption, access controls, and breach detection. Many of those systems work.
The underlying issue is that the data being protected should not need to exist in the form it does. When you open a bank account in New Jersey, your institution is legally required to verify your identity under federal Know Your Customer rules. That means collecting documents — a driver’s license, a passport, a Social Security number — and storing them. The storage is where the liability lives.
“You can secure the vault as well as anyone in the world,” said one security engineer at a Newark-based financial services company, who asked not to be named. “If the vault is full of Social Security numbers and someone eventually finds the combination, they walk out with millions of records. That’s the problem. Not the vault. The fact that everything is in it.”
Every institution that collects identity documents to satisfy regulatory requirements creates the same thing: a concentrated repository of the exact information needed to commit identity fraud at scale. Attackers know this. Breaches targeting financial services identity verification systems — the records collected at the front end of the account opening process — have increased every year since 2019.
What Happens After Your Data Is Stolen
The credit monitoring offer in the breach notification email covers one category of fraud: new credit accounts opened in your name. It does not cover tax fraud, medical identity theft, fraudulent government benefits claims, or the kind of deep identity compromise that comes from having your Social Security number paired with your date of birth and a scan of your driver’s license in the hands of someone who does not care how long the damage takes to unfold.
The Identity Theft Resource Center’s annual survey of victims found that the average person spends more than 200 hours resolving identity fraud — closer to 300 when the theft involves document-level identity data rather than just financial account credentials. For families along the Shore juggling seasonal income, that kind of disruption does not stay contained to paperwork.
“The worst cases are the ones where someone’s entire identity profile was stolen,” Figueiredo said. “Not just a credit card number — the whole thing. Those take years. I’ve had clients who couldn’t get a car loan five years after the breach because there was still a fraudulent account attached to their Social Security number that we couldn’t get removed.”
A Different Architecture
A cohort of technology companies has been working on a structural fix to the problem. Their argument: if the data were never stored in a centralized form in the first place, a data breach at that institution would yield nothing worth stealing.
The approach, broadly called decentralized identity verification, uses cryptographic techniques to allow an institution to confirm that a customer’s identity has been verified — without retaining the documents used in the verification. Zero-knowledge proofs, a mathematical technique developed in academic cryptography, can demonstrate that a fact is true without revealing the underlying data. An institution can satisfy its regulatory obligation — yes, this customer’s identity was verified — without holding a copy of the passport that established it.
Zyphe, a compliance technology company, takes a related approach called sharded storage: splitting identity credential data across multiple distributed nodes rather than holding it in one location, so that any single breach yields fragments rather than complete records. No one piece of the puzzle is enough to reconstruct a usable identity profile.
The technology is still working its way toward mainstream adoption. Federal regulators have not formally blessed decentralized verification as meeting Bank Secrecy Act requirements, and financial institutions are cautious adopters. But the direction is clear enough that larger institutions have begun exploratory pilots, and European banks operating under stricter data minimization rules have moved further toward implementation.
What NJ Residents Can Do Now
The shift to decentralized identity verification, if it happens, will be decided by institutions and regulators — not individual consumers. In the meantime, the standard playbook applies: freeze your credit with all three bureaus, monitor your accounts, and actually read the next breach notification email before you delete it.
But the bigger story is structural. New Jersey’s density of financial services companies — banks, insurers, investment firms, pharmaceutical companies conducting clinical trial enrollment — means the state’s residents are enrolled in more identity verification processes than the national average. More enrollment means more exposure.
The answer the technology industry is building toward is not better encryption on the same centralized databases. It is databases that do not need to hold what they currently hold. Whether regulated industries adopt that architecture quickly enough to matter is a question that will be answered in the next few years — one breach notification email at a time.
