It’s useful to take a look at how the events unfolded, who knew what and when, who has responsibility for the data and what, if anything, is being done to help affected customers. Why? Because it helps you understand what you can — and can’t — expect from corporations when a breach happens.

Here’s what we know, according to security analysts and Hertz. Last October and December, a ransomware group known as Clop was able to exploit two zero-day vulnerabilities in a third-party file transfer platform marketed by Cleo Communications that Hertz and about 4,000 other companies used. These exploits occurred in October and December. In December, Clop claimed responsibility for the attacks and also said it had stolen data from 66 companies, including Western Alliance Bank, WK Kellogg Co. and Sam’s Club. Hertz said in a statement that its data was stolen on Feb. 10.

Hertz completed its analysis of the data breach on April 2. Car rental giant Hertz Corporation is notifying customers of the Hertz, Thrifty and Dollar brands that their personal information was stolen from Cleo products as a result of last year’s hacks. It’s important to note that Hertz is the responsible, customer-facing party, not its vendor Cleo. Hertz may be doing the right thing in taking responsibility for the breach, but it can’t control Cleo’s lack of data security. But could Hertz do more in the future?

Beginning the week of April 7, Hertz began notifying thousands of customers that their personal information was stolen from Cleo’s file transfer platform. According to the company’s Notice of Data Incident posted to its website, the customer data included name, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation claims. A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims) or injury-related information associated with vehicle accident claims impacted by the event, the company said. This data set represents an enormous amount of personal data, and one that sets this breach apart from most others.

In its notice to affected customers, Hertz said its investigators had found no evidence of the stolen information being used for nefarious purposes, but as a best practice, customers should check their accounts for any unusual activity. Hertz has offered two years of free identity theft protection from Kroll. If you have questions about the breach, you may call Hertz at 866-408-8964 Monday through Friday, from 6 a.m. to 8 p.m. Central time.

Consumers may not be able to vet every company their data touches, but they can take a few proactive steps when a breach occurs. If you’ve received a notification, enroll in the free credit and identity monitoring service offered — this isn’t the time to shrug it off. Even if you haven’t seen suspicious activity yet, stolen data often circulates on the dark web for months or even years before being used.

Next, watch for phishing scams. Bad actors may use the breach as a springboard to impersonate Hertz or a credit agency and trick you into sharing more personal information. Don’t click links in emails unless you’re sure they’re legitimate, and when in doubt, go directly to the company’s website.

You can also place a free fraud alert on your credit file with any of the three major credit bureaus — Equifax, Experian or TransUnion. This makes it harder for identity thieves to open accounts in your name. In more serious cases, a credit freeze may be appropriate.

Still, none of this addresses the root problem: Companies need to take more responsibility for the security practices of their vendors. That includes regular security audits, stricter contracts with third parties and more transparency with consumers when something goes wrong.

Leslie Meredith has been writing about technology for more than a decade. As a mom of four, value, usefulness and online safety take priority. Have a question? Email Leslie at asklesliemeredith@gmail.com