What Are Consumer's Rights in a Data Hacking Incident

By Lisa M. Schaffer, Esq. on October 29, 2018 | Last updated on March 21, 2019

Every week, there seems to be another announcement of consumer data breach. We've all gotten those letters in the mail saying that the company will pay for a year's worth of identity theft services, which generally cost consumers about $10 per month. However, these hacks have become so commonplace that most consumers have already purchased this service, as a prophylactic measure, since identity theft can be so financially damaging.

In addition to applying for these services, what rights do consumer's have when their data is illegally mined?

When Should I Worry?

We have all gotten so scared, yet so accustomed, to data breaches, it's hard to know when to act and when to relax. The basic answer is that any time hacked consumer data can easily be changed, like a credit card number or password, it isn't very concerning. But when it can't be, such as a consumer's established credit history, date of birth, and Social Security number -- as in the Equifax breach of 201 -- it's a red flag that should put you on high alert.

Which brings up the question: what are consumer's rights in a data hacking incident?

When Do I Have Rights?

Unfortunately, we waive many consumer rights, such as the ability to sue, in the fine print of certain user agreements. In some instances, such as using free apps like Facebook or Grindr, by agreeing to terms of use, we opt into allowing some of our data to be shared. And if it is hacked, rather than shared, there is still no privacy violation.

In other instances, we waive our right to sue by accepting free customer identity theft services that companies offer in the wake of data breaches. Many people don't notice this, but it's in the fine print.

The Securities and Exchange Commission is attempting to provide more rights to consumer in this quickly evolving field. Businesses must now notify consumers of breaches promptly, though they are starting with guidelines first and enforcing with legal action later. And waiver by opting into free identity theft services has also become frowned upon.

Class Actions Are Rare

If you haven't opted into any user agreements requiring arbitration, you can try to join a class-action lawsuit. However, courts rarely allow these suits to move forwards, primarily due to what's called "plaintiffs' bar," which is standing. Attorneys representing plaintiffs in class actions must show the victims suffered actual or threatened damage, and not just "allegations of future injury," under Article III. Often times, it can take years for clever data hackers to garner enough data to actually perform identity theft. And until there is something close to this, there can be no class-action lawsuit.

But Sometimes They Form and Succeed

But sometimes breaches go far enough to overcome this Article III challenge, such as the case of Yahoo's data breaches of 2013 and 2015. A California federal judge this year allowed a class-action to form. However, in that case, several customers could prove stolen information was used by criminals and used for filing fraudulent tax returns or credit. Also, Yahoo had taken so long to inform customers that there had been a breach, that it allowed enough time for criminals to actually fraudulently use the information, thereby creating standing. Yahoo settled the case by offering an estimated 200 million affected two years of free credit monitoring; for those that already have credit monitoring, a $100 award may be issued instead.

Credit Freeze

One option that consumers always have is to place a freeze on their credit reporting. To open up a new credit card or bank account, the financial company will always contact a credit reporting service to obtain the applicant's credit history. If a freeze has been placed on the account, the agency must call you do obtain your consent prior to giving out the information.

The drawback is that you can never get instant credit - this election extends the verification process that can no longer happen instantaneously at the checkout counter for the quick 15% discount. But if you are willing to waive that privilege, it may be very helpful in the long run. The freeze costs about $5 to $10 per account, and to be effective, a consumer would have to put a freeze on each of the Big Three Credit Services: Equifax, Experian, and TransUnion.

If you believe your data has been stolen, contact a local class action attorney. A legal expert can tell if you if there have been any announcements regarding regarding your alleged breaches or hack, and what you can do about it. Don't be alarmed when you receive letters regarding breaches, but don't be a victim either. Be your own best advocate, and reach out for help today.

Related Resources:

Copied to clipboard