Given all of the big-name data breaches that have occurred during the past few years, there’s a good chance your personal or payment information has been compromised.
There’s also a chance you’ve been offered some type of identity protection, usually in the form of free credit monitoring, by the company that suffered the breach. But how much (and what type of) protection are they legally required to provide?
Well, chances are, the answer is zero.
The Laws of Data Breaches
There are laws requiring that companies who experience a breach notify affected consumers. The specifics of how and when varies by state, but “the general requirement is written notification usually by regular mail,” Scott Christie, a Newark-based partner at McCarter & English, said. “Many statutes say if there is an exceptionally large number of victims you can notify in an alternative means, which can be electronic mail or notification by the main page of your website.”
Some state laws require that you notify state law enforcement or attorneys general as well — and generally before consumers are told of the breach so notifications don’t compromise a potential investigation, Christie said.
But virtually no stipulations exist that address consumer restitution following a breach. Earlier this year, Connecticut updated its laws to mandate companies provide credit monitoring following one, but, beyond that (and a failed attempt to do so similarly in California), there’s nothing stipulating how companies should compensate consumers post-hack.
It’s “sort of as a public relations effort more than anything else,” Christie said.
How Can I Protect Myself?
Suing for further restitution post-breach is not fairly common — or successful — since, given how data-driven our society is, it can be difficult to tie any identity theft to one particular incident. “As a result, it’s hard for defendants to show damage” and win, Christie said.
“All of them have investigators who look into these respective cases and they will seriously investigate them,” Christie said.