How Do You Recover from a Data Breach: A Consumer’s Guide

Data breaches have unfortunately become a common occurrence. The 2021 Thales Data Threat Report found that 45% of US companies suffered a data breach of some sort in the past year. With more and more shopping happening online, most companies store consumer information in databases. Unfortunately, if a hacker targets these databases and steals your information, your privacy, finances, and peace of mind could be at risk.  So how do you recover from a data breach? Read below to find out.

What is a Data Breach? 

A data breach is defined by the National Association of Attorneys General as any “unlawful and unauthorized acquisition of personal information that could compromise the security, confidentiality, and integrity of personal information.” In these breaches, hackers can steal any information the company has about its customers. This could include your full name, home address, physical address, Social Security Number, and information connected to your taxes, credit cards, or medical information.  

Typically, we only hear about large breaches in data because they make the news. However, they can affect companies of all sizes. In fact, according to Verizon’s 2021 Data Breach Investigation Report, 28% of all breaches occur in small businesses.  

How do Data Breaches Happen? 

A breach in data can occur in a variety of ways. While not all breaches are intentional, they all have the potential to be harmful. If breaches happen unintentionally, it is usually because an employee made an error. Sometimes an employee may accidentally send sensitive information to the wrong person, attach an incorrect document to an email, or even leave a physical file where someone else can read it. In these cases, the breach is typically limited to a small number of people, whom the company will then contact. Although this type of breach is smaller, it can still be quite harmful for victims.  

Most breaches, however, are done intentionally and maliciously by organized groups of hackers. In these types of breaches, a hacker will purposefully expose the personal information of thousands of customers. Hackers can do this by using malware or code injections to steal information directly from a company’s databases. After they collect the sensitive information of consumers or employees, hackers can sell this information for a high profit on the dark web. 

Laws Surrounding Data Breach 

Luckily, there are rules and regulations designed to help provide guidelines for companies if data breaches occur. For example, the The Gramm-Leach-Bliley Act (GLBA) requires financial institutions—any company that offers lines of credit, loans, insurance, or financial or investment advice–to explain their information-sharing practices to their customers and safeguard any sensitive data they may hold. Similarly, the Federal Trade Commission (FTC) Safeguard Rule requires financial institutions to have measures in place to keep customer information secure, and to ensure that their third parties or affiliates also safeguard their customer information. In situations of medical breaches, both the Health Insurance Portability and Accountability Act (HIPAA) and the FTC’s Health Breach Notification Rule requires health-related businesses to notify victims of a breach of unsecured, protected health information. 

Additionally, all fifty states and the District of Columbia have created laws that determine how businesses, and the government in some states, should respond to a breach. While each state is slightly different, these laws typically require companies to do the following: 

  • Notify the state Attorney General of the breach 
  • Identify how time sensitive the breach was and act accordingly 
  • Perform a risk of harm analysis for the breach and act accordingly
  • Give notice to victims of a malicious and potentially harmful breach as quickly as possible. This notice may come by letter, email, or phone call. It may also be posted as an informational advertisement on the company’s website or on social media. 

Unfortunately, a private individual cannot sue under most of these state and federal laws above. Instead, the federal or state government holds the businesses accountable.  

However, if your information is lost in a breach and you experience fraud from it, there are consumer protection laws that you can file suit under. These laws include the Electronic Funds Transfer Act, which requires Credit Reporting Agencies (CRAs) to investigate claims of fraudulent charges, or the Fair Credit Reporting Act, which requires CRAs to investigate claims of fraudulent activity connected to your credit report.  

How Do You Recover from a Data Breach?

If you are notified that your information has been leaked in a breach, you need to act fast to protect your security. 

Some steps you can take to protect yourself include: 

  • Check your bank records and credit report for unfamiliar accounts or lines of credit 
  • Notify the credit reporting agencies (CRAs) if you find any evidence of fraud.  
  • Ask the CRAs to place a fraud alert on your record 
  • Notify your bank that your information has been stolen. Bank representatives can help to identify the best option to protect your finances. 
  • Check your medical insurance for evidence of fraud. If you find fraud, contact the CRAs about this as well. 
  • Change all your passwords. Be sure each password is unique, so thieves cannot log into multiple accounts. 
  • Change your bank PIN and any other codes you use for logins online 

If you experienced fraud as the result of a breach of data, you may be able to seek legal action. Some situations include: 

  • If a breach occurs but a company does not notify you in a timely manner. 
  • If your credit card information is stolen but your card issuer or the CRAs fail to fix the errors 
  • If your medical insurance is affected and the CRAs fail to fix the errors, or 
  • If your stolen information is used by an identity thief to empty your bank account, make unauthorized credit card charges, take out a loan, or otherwise harm you financially. 

If these situations occur, it may be time to call a lawyer. The Fair Credit Reporting Act (FCRA) and the Electronic Fund Transfer Act (EFTA), could help to hold your banks, credit card companies, the CRAs, and the company that experienced the breach responsible for your loss, but you will need a lawyer that understands the complexities of these laws.  

The lawyers at the Financial Justice Initiative are experienced in representing victims of fraud and identity theft, and we are passionate about helping you regain lost finances and peace of mind. Contact us online or at (206)737-0458 for a free case consultation to see how we can help.