Why you shouldn't ignore that data breach notice.
Updated: Jul 20, 2020
Today, it seems like an ordinary occurrence to receive an email or letter in the mail informing you that a company you do business with (or even one you never heard of) experienced a data breach and that your sensitive personal information may have been exposed.
The data breach notice might suggest that your information is likely secure, and that the company is just sending the notice as a precaution. But there’s almost zero incentive to notify consumers of a data breach. The companies that ultimately do notify are most often obligated to do so. Under California law, a business is required to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. So odds are that the company is sending you this notice because there is a likelihood that your personal information is at risk.
So don't wait to act. Once your personal information is stolen, consumers are more vulnerable to identity theft and spear-phishing scams that can trick even cautious people into revealing their credit card information, Social Security numbers, usernames and/or passwords for social media or bank accounts over the phone or by email. And identity theft may not happen overnight. Your information may end up for sale on the dark web and used months or years after the data breach incident.
Here are some of your options for acting now:
Change and create stronger passwords. Do not use the same password for all your accounts. That way if a criminal gets a hold of one password, they won't have the key to access all of your accounts.
Monitor your credit report. You can check your credit report for free once a week here. You can also sign-up for credit monitoring. Typically, the company who sent you the data breach notice will provide you with this service for free of charge.
Freeze your credit report. A credit freeze (aka a security freeze) restricts access to your credit report, which in turn makes it more difficult for identity thieves to open new accounts in your name. You can do this for free here.
Don't trust emails and telephone calls purporting to be from companies you do business with or even governmental agencies asking for you to verify your personal information.
For California residents, retain a data privacy attorney to enforce your rights under the Consumer Privacy Protection Act of 2018. The CCPA authorizes any consumer whose nonencrypted and nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information to bring a civil action. Cal. Civ. Code § 1798.150(a)(1).
The CPPA allows a consumer to bring a lawsuit to recover statutory damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater, injunctive or declaratory relief; and any other relief the court deems proper. Cal. Civ. Code § 1798.150.
The statutory damages of $100 to $750 are hefty and will add up if the case is maintained as a class action on behalf of all consumers whose personal informations was subject to the data breach.
Importantly, statutory damages are available to consumers who have not experienced any identify theft. In order to obtain statutory damages on an individual or class-wide basis, the law requires consumers to provide a business 30 days' written notice identifying the specific provisions of this law the consumer alleges have been or are being violated. If the company doesn't cure the violation, the consumer can bring a lawsuit. Although a company may be able to patch up a security hole in their system, it may not be able to cure the data breach because the consumer's personal information has already been exposed to the public!
If you get a data breach notice, contact Parasmo Lieberman Law for a free consultation.