In this article, we will discuss the rights of a consumer whose data has been illegally mined and answer the following questions:
Data breaches have become so commonplace that we rarely see them in the news anymore. Some may remember the more high profile hacking incidents involving companies such as Equifax, Yahoo, and LinkedIn, where hundreds of millions of user’s data was mined illegally. 2020 alone has seen Zoom, Twitter, MGM, and Magellan Health as the targets of sophisticated data hacks that lead to consumer’s personal and financial data being stolen. But what happens after the hack? And what are your rights and the companies’ responsibilities?
Getting a letter or an e-mail that your data has been hacked can be panic inducing. However, there may be no reason to be concerned if the hackers only gleaned data that is easy to change. Items such as passwords and credit card numbers can usually be changed without much issue. Moreover, many systems are moving to two-factor authentication and other systems that protect your data even if hackers get access to your username and password.
It is cause for concern if a hack leads to more sensitive information such as your social security number, checking account number, or credit history. Hackers getting access to this information is less common, because it is heavily protected or not part of the registration process for whatever service got hacked. But how do you know what information the hackers got, and what can you do about it?
Generally, in a data breach, your rights include the company notifying you promptly of the breach and your legal right to sue the company.
When a data breach occurs, such as in the case of Yahoo or Equifax, it is the company’s responsibility to report the breach as soon as possible. Delays in reporting can increase a company’s liability and put their customers at significant risk.
When a company discloses that their customers data was stolen they must include, to the best of their knowledge, what information was stolen. They may not be able to report what data the hackers had access to on a granular level, such as identifying individuals accounts accessed out of millions, but the company should know what information the hackers likely had access to. Based on this, the company will issue options that the consumer can take moving forward to rectify the problem. This often includes 1 to 2 years of identity theft protection, and possibly a small monetary reward. However, in agreeing to the company’s placations, you are relinquishing your right to sue or be involved in a class action lawsuit. Furthermore, many free-to-use services, such as Facebook, include language in their user agreement that specifically states you cannot sue the company over your data entering the hands of third parties, no matter the means.
The basic consumer rights allowed in hacking incidents remain the same no matter how many individuals are involved. You have the right to be promptly notified if your sensitive data was accessed or stolen and you have the right to sue the company over the data breach. When a large number of individuals are involved, a class action lawsuit may be brought against the company for failing to protect its customer’s data. However, class action lawsuits can take years to move through the legal system and many amount to very little for the consumer in the end; they are much more of a financial punishment to the company. For example, a class action suit may force a company to pay hundreds of millions in restitution and identity protection to consumers, possibly a huge financial impact to the company, but the consumer might only see a few hundred dollars at most out of the process.
If you have any questions about data hacking and consumer rights, please give us a call.
O'Flaherty Law is happy to meet with you by phone or at our office locations in: