·  Legal News, Analysis, & Commentary


Data Breach 101: What You Must Know to Prevent and Recover

— September 20, 2019

Data breaches can be nightmarish to recover from if you’ve been negatively impacted by one. Hiring a good lawyer and educating yourself on credit (and other data) safety are key to this recovery and to prevention.

It seems like every few months, another major data breach is in the news. There can be a lot of confusing information when it comes to major data breaches. What information was revealed? Was your information part of it? Does this mean your identity is going to be stolen?

It’s important to understand the effects of data breaches, what you can do to protect yourself, and what legal actions you can take as a victim. With the recent Capital One data breach and Equifax’s settlement regarding a major 2017 breach, it’s good to prepare in the case that you were affected by either.

What Is a Data Breach?

A data breach is a cyberattack that results in the release of private information. Major companies and financial institutions store personal information in order to conduct business. This could include Social Security numbers, credit card numbers, addresses, health information, or other sensitive data. When a company’s information systems are compromised, a cyberattacker can potentially gain access to this information and steal it. Cybercriminals often sell the data on the dark web, hold the data for ransom, or use it to conduct identity theft.

Is a Data Breach the Same Thing as Identity Theft?

A data breach is not the same thing as identity theft. If certain information was compromised, it may fall into the wrong hands and could potentially be used to steal your identity. The more personal information that has been exposed, the more opportunities criminals have to apply for credit in your name.

Even if you had sensitive data compromised, it does not necessarily mean you’ll be a victim of identity theft. Regardless, you should take steps to protect your identity, ideally before a data breach occurs.

How Can You Protect Yourself?

Before a Data Breach:

Limit the Information You Give Out

One of the simplest things you can do to protect yourself from becoming a victim of a data breach is to limit what information you give out. This is true for both online and paper forms. If personal information is required, make sure it is from a legitimate site and you understand how your data will be used. You should never give out personal information without a good reason, such as a credit pre-approval or online bank application. You can prevent the spread of unauthorized access to information online by using unique and difficult passwords for every site you use.

Freeze Your Credit

Another step that you can take proactively is to freeze your credit report. Placing a credit freeze prevents people from pulling your credit for the purpose of opening new accounts in your name. Freezing your credit doesn’t freeze your credit cards or accounts, and it doesn’t harm your credit. And as of 2018, placing a credit freeze is free, thanks to federal law. If you’re applying for a new credit card or other credit product, unfreezing your credit is a quick and simple process.

To place a credit freeze, you’ll need to place a freeze individually with all three credit bureaus – Experian, Equifax, and TransUnion. You can place a credit freeze online, by phone, or by mail. The online process is fairly simple. You may be expected to verify your identity by answering some questions. You’ll be given a unique PIN to unfreeze your credit. Keep this in a safe place so you are able to thaw your credit reports, should you need to. If you thaw your credit online or by phone, it should take effect within one hour. 

After a Data Breach:

If you’re notified that you might be affected by a recent breach, or if you hear about a high-profile breach of a company that you do business with, don’t panic.

Person holding credit card swipe machine; image by Blake Wisz, via
Person holding credit card swipe machine; image by Blake Wisz, via

First, keep an eye out for communication from the affected company. All 50 states have laws on the books about notifying data breach victims in a timely manner.

Even after a data breach, freezing your credit can still help prevent identity theft. If you don’t already do so, start to monitor your credit reports to see if you have any accounts you don’t recognize. Even if there’s no fraud, a study by the FTC revealed that about one in five people had an error on their credit reports. Check your bank and credit card statements to see if you have any fraudulent charges. 

Take note of any time or money spent recovering from a data breach, even if your identity doesn’t appear to be compromised. You may hear about a class action lawsuit or settlement regarding a data breach that you were a part of. Oftentimes, affected parties will be offered free credit monitoring or some sort of financial compensation. You should consult with a lawyer before accepting any rewards or benefits from a class action; it may waive your right to seek damages down the road.

Legal Impacts of a Data Breach

Of course, there are times – especially if you’ve suffered damages, such as identity theft – that taking legal action is the best solution. There are numerous laws the purpose of which is to protect consumers from data breach damages. 

The law is structured so as to make the injured party as whole as possible; in other words, to return them to the condition they were in before the data breach. However, the legal system requires that you show damages. Therefore, if you were part of a data breach but nothing bad happened as a result of it, you are better off taking whatever the company offers (whether free credit monitoring or cash payouts). In the unfortunate instance of actual damages, it’s time to consult a lawyer.

While you can bring your suit on your own, it’s more likely than not that there will be others damaged like you and the suits will be consolidated into a class action. These suits feature named plaintiffs whose circumstances are similar enough to the rest of the class as to be representative of the class. 

Is it worth taking legal action? That’s a difficult question to answer. Depending on the size of the class, the damages awarded may not be very large. Sometimes, they will include the free credit monitoring mentioned earlier, along with cash payouts that are structured to reflect the damages sustained split between the entire class.

What if you’ve been seriously damaged, though? At that point, it may be worth consulting your lawyer about bringing suit on your own. There are benefits and drawbacks to this approach. As part of a class action, the costs and fees are shared by the class and typically paid out of any damages award or settlement. Suing on your own means you are solely responsible for the costs and fees. 

This isn’t so bad providing you win your case or the company offers an acceptable settlement. As with class actions, your lawyer will typically take costs and fees from the amount of the award/settlement. But, if you lose, you are responsible for the costs, and potentially the fees, out of your own pocket.

As a point of clarification, costs are what it costs your lawyer to file the case, pay any private investigator if required, etc. Fees are what your lawyer earns by representing you. Often, you’ll see a “you don’t pay if we don’t win” ad. This means the lawyer is working “on contingency.” They don’t earn their fees unless you win. However, in all but a very few instances, you are always responsible for the costs.

Data breach cases often settle for substantial amounts of money. This does not all go to the members of the class and its lawyers in the form of cash, though. That free credit monitoring? It’s not really free. Those whose data was stolen don’t pay for it, but it does come out of the settlement funds. 

Likewise, any moneys used for credit repair, fraud protection, and as reimbursements to those who have paid for such services out of pocket. In July of this year, “Equifax agreed to [pay] close to $700 million in fines and restitution. Of that amount, $425 million will be set aside for consumer payouts to cover things like “credit monitoring and out-of-pocket losses because of the breach, as well as the cost of identity restoration services for victims.” This covered the massive data breach in 2017.

Those affected by the Anthem, Inc. data breach were able to get up to $10,000 in addition to the credit monitoring and other services. 

Data breaches can be nightmarish to recover from if you’ve been negatively impacted by one. Hiring a good lawyer and educating yourself on credit (and other data) safety are key to this recovery and to prevention.

Join the conversation!