Many people are flummoxed by the recent Capital One hack that accessed more than 100 million people’s personal information.

However, millions of people are understandably worried, angry and vulnerable. Powerlessness is a common reaction, experts say, and a sense of resignation to the rising number of data breaches that have essentially doubled over the past five years.

Capital One COF, +1.85% said this week that a hacker accessed information including Social Security numbers for more than 140,000 customers and 80,000 bank-account numbers. The alleged hacker, 33-year-old software engineer Paige Thompson, has been arrested and charged with computer fraud and abuse. (The company did not respond to request for comment.)

“ Can you do anything to prevent being hacked? Start by asking the right questions. ”

Can you do anything to prevent being hacked? Start by asking the right questions.

Given the number of data breaches and privacy violations in recent years involving companies from Equifax EFX, +2.94% to Facebook FB, +2.12% , some people might only be surprised if their personal data was not hacked, said Britt Siedentopf, vice president of services at Global Asset, a cybersecurity and IT support firm in the Dallas, Texas metro area.

Companies and organizations should be able to answer questions about your data and how it’s used, especially given all the havoc that hackers can wreak with stolen information. “Any organization should have a clear understanding of what they collect and should be transparent,” said Adam Levin, founder of CyberScout, a cybersecurity firm.

Here are the five questions you should ask any company that gathers and/or stores your data:

1. Do you carry out regular ‘pen testing’?

“Pen testing” is short for penetration testing, where ethical “white hat” hackers do their best to break into the company or organization’s network and find any soft spots or, worse, flaws in the companies system. “As more and more consumers ask questions and hold institutions accountable, that’s going to drive change,” Siedentopf.

2. What kind of data are you collecting on me?

Whatever the product or service, Levin said companies should confine data collection to only what’s required to make a transaction go through, like names, addresses and basic payment data. When collection veers to demographic and marketing information — like age, gender and education level — that can become a problem, Levin said.

3. Do you share or sell my data with third parties?

When California’s tough new privacy law takes effect next year, consumers must get “explicit notice” when a third party plans to sell the personal information it received from a business. Make sure it’s a HTTPS website and has two-factor authentication for transfers and purchases, Levin said. However, even aggregated or “anonymized” data can be used to identify individuals.

4. Have you had a data breach — how did you handle it?

State laws vary widely on how companies should report data breaches, said Stephen Black, a professor at Texas Tech University School of Law with a cybersecurity consulting firm Trimble Black. Not all states require companies to report data breaches to the government, for instance. Certain breach responses are becoming mandated. In Texas, school districts will need to establish a cybersecurity policy that includes a coordinator who updates the public if breaches occur.

5. How long are you planning to hold onto my data?

The longer companies and organizations store data, the more time there is for something to go wrong. Ask your bank or online stores what their policy is and whether they will delete your data upon your request. Some businesses hold onto data longer than they need it and delete information from their primary servers — but not their back-up data storage off-site, Black said.

(Jacob Passy contributed to this report.)