I recently received a check in the mail for close to $1,000 in the mail from the IRS.

To most people, this would be a welcome bounty to use on a future vacation or to tuck away in the savings account. The problem was, I wasn’t expecting this check. And from years of filing taxes, I know the IRS isn’t Santa Claus.

It turns out that someone had taken the liberty of filing my taxes for me, using my Social Security number and other personal information obtained illegally through a data breach to obtain a windfall at my expense. It also turns out that they weren’t so good at it either, since the check was actually sent to me — their direct deposit information was entered incorrectly. That somehow at least made me smile, in a moment of what was still a situation leaving me pretty vulnerable.

Vulnerable…for Life?

That smile turned to the realization that while the tax situation would eventually be sorted out with the IRS, my personal information was still out there, with faces I couldn’t see, and motives I’d never know.

And reading this article in yesterday’s Los Angeles Times on what corporations owe victims after a data breach, some points raised by such victims only raised my fears even more. What could they use my information for next? Could they be storing this personal information to use years down the line…when I least suspect it?

In my own case, I was given one year of free credit/identity theft monitoring as a result of the breach (the usual), which wouldn’t necessarily be of comfort if something was done with my information years down the line. In the Times article, “Los Angeles resident Jairo Angulo and his wife were among nearly 80 million[…]Anthem health insurance policyholders whose personal information was reported hacked last February,” and he actually received more than the “usual” in my case after the breach. But even here, he realized the vulnerable position he too was in:

Anthem has patted itself on the back for offering two years of monitoring rather than the customary one. To Angulo, 66, that was nowhere near enough.

“If your Social Security number and other information is out in the world, it’s out there forever,” he told me. “Anthem should be paying for my credit monitoring for the rest of my life.”

And, if we’re upping the ante a bit, if you’re like Aberdeen Group Vice President & Research Fellow, IT, Derek Brink, it’s less about what happens after an attack, but rather, what organizations are doing to prevent it in the first place:

What consumers want — and deserve — is not another two years of free credit monitoring and identity resolution services layered on top of the others that have been provided in the wake of other breaches. Consumers want — and deserve — that the organizations we trust actually invest in what it takes to secure our personal information that they store on their servers.

But sadly, we live in a world where breaches are becoming less of a headline because of their frequency, and it did happen. And you the reader are not Jairo Angulo, the victim cited in the New York Times article. Or Derek Brink, our IT security analyst at Aberdeen. Or me. So the question on my mind should really go to you: After the fact, is one year of credit monitoring enough after a breach? If not, what are some logical steps that should be taken after a user’s personal information is exposed? Is anything really enough after an exposure?