Consumer Step by Step Guide: What to do when data breach happens

Consumer Step by Step Guide: What to do when data breach happens.

We all know data breach happens now more often than even before leaving data of millions of people compromised. While this topic is widely covered by media and different publications, very little advice is given to regular people as to what to do and how to protect yourself if you are a victim of data breach or identity theft.

To answer this question it is important to identify all the facts of the breach, because it will determine what you should do in such a case. These should include the following:

  • To identify which company exactly has suffered a data incident
  • Important to confirm the data breach actually happened.
  • To determine the country / state where data breach occurred and the country / state of the company's headquarters
  • Check if your home country or state laws provides a better data privacy protection
  • What is the nature of the breach and was any of your sensitive information compromised?
  • Did you suffer from an identity theft because of a data breach or not yet?
  • Checklist of what to do when a data breach happens.

In this article, we’ll cover a few types of data breaches to show how sensitive information can be compromised and our advice on what you should do in each scenario, so continue reading.

To identify which company exactly has suffered a data breach.

Today when you entrust your personal data to any organization or company, can be accessed by multiple more organizations, such as website hosting providers, marketing email providers or facilitators, CDN providers, platforms used for (re)marketing purposes such as Google, Facebook, Twitter and many more. This list might go on and on. So when a data incident happens, the way it is identified may not be 100% of the time telling the exact source of the data leak.

For example if the company did internal monitoring and flagged suspicious activity or security lookhool that was exploited, good news at least this is clear the source of the data leak. But sometimes news will pick up a story about a dataset dumped on a dark web and offered for sale. In this case, it is far from clear what is exactly the source of information. Yes, it is likely the company who has those user base as their clients, but it might be a different company, who is just a service provider who is a processor of information. Another scenario that might happen is that hackers can use security breach in order to tap into another company's systems and database.

So as you see giving an answer to this simple question can be quite complex. Once a data breach source is identified, the concerned organization will inform its customers that might potentially be affected and will initiate investigation into the root cause of the data incident. This information might become known when any of the companies respond with data breach notice and many times publish it on their website, as organizations are required by law to promptly report on data breaches and notify its customers. Each state in the USA has such a Data breach notification law, so does the UK and EU member countries.

Online Privacy and Security lock shield - DataClaim

Get a confirmation that data breach actually happened.

As you now know, data breach laws require companies to give a notice about data incidents. If you received email about a data breach, well this might be a legitimate email notice from the company, or it might be a phishing attack by hackers impersonating the company in order to get more personal information. So we advise you to check the company's official website for notice of breach, or write to the company official email address (by creating a new email). You should typically see a privacy notice or privacy policy link in the footer on any website, that page will have details for contacting organizations on privacy issues. Once breach is confirmed, it is important to get more information about its nature and potential affect on you.

It is sometimes useful to understand what type of a data breach happened. It can be a simple:

  • cybersecurity breach (aka hack),
  • data leak (aka unauthorized disclosure) by insider (employee reckless or negligent wrongful accidental disclosure or destruction of information) or by outside perpetrators.

Did you have a data breach? You might have a right to compensation - up to $750CHECK COMPENSATION FOR FREE

Determine the country or state where data breach occurred and the country or state of the company's headquarters.

In today’s world of cloud computing and multiple services involved to enhance user’s experience, your data can be stored and accessed from multiple different locations. So determining the country where breach occurred might not be the easy task and sometimes companies use multiple different servers and breach may have international nature (can happen in few countries). This usually will be identified in the process of internal investigation by the company or as part of external investigation by the regulators.

Alternative scenario is to understand which company specifically suffered a breach and where such organization is located or registered. Some businesses operate globally under one brand umbrella based on a franchising model. In such cases each country's business is typically separately owned and controlled and might not be part of global headquarters. So depending if it is one vertically integrated and controlled business or a chain of different businesses, might affect how and where compensation can be claimed.

Above information may be useful to establish the best possible jurisdiction for making a consumer claim for compensation and which authorities to submit a complaint to.

In case domestic laws of the country when breach occurred has better consumer privacy protections in place then the country of your residency. Example, if you are a resident of New York, state which at the time of writing has not specifically allowed private right to action for compensation, and you have suffered from a British Airways data breach in the UK, you will enjoy a better data protection regime in the UK that allows you to claim compensation for such data breach.

Check if your home country or state laws provides a better data privacy protection

Your privacy rights are regulated by your home country or state law where you are a resident of. Privacy is regulated differently and your rights largely depends on current privacy laws:

  • If you are a resident of California you can benefit from CCPA privacy law.
  • If you are a resident of the UK, you can enjoy vast data protection rights under UK GDPR, which include the right to claim compensation.
  • If you are a resident of any country that is part of the EU or EEA, you are lucky to have the EU GDPR global data protection regime, which is the best international standard that favours individual’s privacy and provides the right to claim compensation.

So check if you can take advantage of some of the best current privacy regulations world wide.

Consumers Data Privacy Identity - DataClaim

What is the nature of the breach and was any of your sensitive information compromised?

Early on when data leak happens, organizations typically have limited information about underlying security breach and its nature. However, depending on the company's privacy policies and procedures, many times an organization can tell which information was encrypted or not affected at all. This is not a guarantee, but a helpful information. While some companies are more honest about data breach and tell true information to its customers, others are secretive and dishonest. Some go beyond that offering money to hackers to silence information about a data breach, which likely be a lot more expensive for any organization to deal with. So whatever company is telling its customers in data breach notice is preliminary information and might be not true at all.

So what to do in this case? Well, we advise you to check what types of information you shared with such an organization, i.e. did you share any sensitive information. Sensitive information is defined very differently in different countries and even each state in the US will have a different approach. Typically, it will include:

  • Sensitive health information (mental problems, HIV or other disease information, etc)
  • Financial or bank information, such as bank account details, account statements (while most companies do not store credit card information and it is usually processed by third parties)
  • Passport, driver license, iD details, social security number. While credit card information may seem like a big deal, credit or debit card can easily be reissued with new details. However, a social security number cannot be changed and can be used by bad actors in many different ways.
  • Biometric personal information: finger prints, face image recognition, your bodily measurement, etc.
  • Any info about sex life or dating information (such as dating information or membership at some peculiar sex clubs or website of interest)
  • Any personal information of minor children.
  • Any criminal, civil or other court records or information about it
  • Any other non-public sensitive information that might compromise you or subject you to discrimination

If you shared any of the above information, first ask the organization if this information was stored in encrypted form, second was information accessible though that security breach, and third was any of the above compromised. Often organizations would separate sensitive information from another personal information and have it in encrypted form to reduce risks of all information getting compromised in case of security breach.

Some of the above sensitive information may allow bad actors to impersonate you and rent or buy properties, apply for employment benefits, file fake tax returns, and commit other illegal acts under your name. If a data leak affected you, or may have enabled access to sensitive information, it is better to play safe and do more that needs to be done if compared to regular data breach to reduce risks known and unknown but potential risks that have not yet materialised. Once you know the nature of a data breach, you can move to the next step.

Did you suffer from an identity theft because of a data breach or not yet?

If you suffered anything as a result of a data breach, this can include:

  • Economic losses: if somebody took out loans, rented a car, extended a credit, wrongfully filed taxes, etc.
  • Lost ability or affected your ability to do business, borrower money, retain customers, lost earnings potential (lost job), loss of future business.
  • Out of pocket expenses (OPE): any expenses to monitor account or make necessary changes.
  • Unfair discrimination or treatment.
  • keep receipts and track all expenses to be reimbursed. Typically, companies will reimburse reasonable OPE within the bracket of $20,000.
Keep in mind that according to some recent surveys only 1 out of 5 people are notified about data breach or know their data has been compromised, so a large number of data breaches continue to be exploited for a few months, sometimes years. Importantly, on average every third person would experience identity theft, fraud or some form of a real loss, which can happen within anywhere from 6 to 24 months following data breach. So part of the question would mean what to do to identify any identity theft or fraud timely, and steps to avoid negative affect on your personal or professional life and prevent any losses to occur.

Checklist of what to do when a data breach happens.

First, regardless of type of data breach, you should consider doing this:

  • Track any expenses or losses you may face. Keep receipts and records.
  • If the concerned company offers you any credit or fraud monitoring and/or identity theft protection - consider accepting it, only if that does not require you to waive any rights to bring claims for compensation or losses.
  • Change login and password details (including security Q&A). Hackers know most people use the same passwords across the board.
  • Start using double authentication at least for email and critical accounts, if not for all your accounts.
  • Submit a request for free evaluation of your case to check if you have the right to claim compensation. Depending on the circumstances and the country/state of your residency data breach compensation can reach $750 in the US and up to €1,000 or £1,000 even if you have not suffered economic losses. In serious cases, compensation amounts can be much higher.

Login password credentials compromised - DataClaim

If your online account credentials were compromised, we suggest you should do the following:

  • Log in to that account and change your password. If possible, also change your username and security questions.
  • Set up double authentication (using your secured telephone).
  • If you can’t log in, contact the organization as soon as possible. Ask them how you can recover, freeze or shut down the account (ideally downloading information the company had on you, so you have a good understanding of what information may have been compromised), as fits your circumstances.
  • If you use the same password elsewhere, change that login credential there too.
  • If access to your email inbox was compromised, than you might have to do a heavy duty exercise, which includes:
    • checking an access log (to see who and when accessed the account).
    • If an email account was accessed, to request the company to trace any user session recordings on your account unauthorized sessions. Many organizations record users' behaviour on site for analytics and improvements. This may be a good point to start to identify what if anything was done with your inbox.
    • Depending on these results, your further actions will be different and the organization must offer help you to track fraud, online identity theft. A lot depends on your prompt actions to mitigate and prevent. At minimum do the maximum you can do as per this checklist and depending on your case it might be worth to check with lawyers on any issues that arise.

    If you had a bank or financial data breach:

    • Contact your bank or credit card company to
      • cancel your card and request a new one.
      • put an alert for the bank account record, so bank is alerted to tracks your activity more closely, or put a freeze on your account, or
      • Ideally, close the account and open a new account.
      1. Check your account for any charges that you don’t recognise.
      2. Monitor your account for any new activity, new products or services requested.
      3. Check to make sure your personal account details are correct and up to date, including telephone number, email, address details, security questions. Consider changing them if you think that information may be at risk.
      4. If you have recurring subscription payments, update your payment method with a new card or otherwise.
      5. Check your credit report at

      if your US Social Security number was compromised.

      As this happened in recent credit reporting agency's data breach, your identity theft risks are really high. And you should do the following as per the FTC recommendations:

      • If the company responsible for a data breach offers you free credit monitoring, take advantage of it, but do it without waiver of your rights.
      • Obtaining your free credit reports from to look for activity you don't recognize. You can request a free report from any of the credit reporting companies once a year.
      • Consider a credit freeze for your accounts with the three major credit report agencies. This will make it more difficult for bad actors to open a new account under your name.
      • If you decide not to place a credit freeze, seriously consider placing a fraud alert at minimum.
      • File your taxes early, before bad actors use the opportunity to use your exposed Social Security number to file a fraudulent tax return to get a tax refund or a job. Promptly respond to any letter from the IRS.
      • Don’t believe anyone who calls and says you’ll be arrested unless you pay for taxes or debt even if they're from the IRS, they are likely not. You may ask for an official government email (must have .gov) or office number and reach back for clarifications.

      If your ID or driver's license number was compromised.

      • You should contact your local Division of Motor Vehicles to apply for a duplicate and/or flag your number to catch anyone trying to use it.
      • Submit a claim for compensation with DataClaim. Click check compensation to submit a request for a free evaluation of your case. Please include as much information as possible, so we can carefully review your case to determine if you may be eligible to claim compensation.
      • Submit a complaint about data breach or identity theft to a regulator or authorities

      Submit a request for free evaluation of you case. You might be eligible to claim up to $750 in compensationSUBMIT A FREE REQUEST

      You can also submit a data breach complaint to regulators and authorities for investigation and enforcement.

      You may also submit a complaint about your data breach or identity theft to regulators to investigate this further and penalize the company.

      US Flag FTC data breach complaint - DataClaim

      If you are from the United States, the US Federal Trade Commission accepts data breach or identity theft complaints:

      • call at 1-877-FTC-HELP (1-877-382-4357) or call 1-877-438-4338
      • Report it online here
      • Consider submitting a report to other Federal Government Agencies that might be concerned (see a list of relevant contacts)List of US Federal agencies to report data breach

      You can also submit a complaint to state and local enforcement authorities:

      • Attorney General office in your state.
      • Local police department. Take with you
        • a copy of your FTC Identity Theft Report
        • State photo ID
        • proof of your address (rental contract or utilities bill)
        • any other proof you have of identity theft (bills, IRS notices, etc.)
        • FTC's Memo to Law Enforcement (can see screenshot and download as attachment below)

        US FTC's identity theft Memo to Law Enforcement

        In UK, you can submit a data breach complaint to ICO:

        By email to [email protected]

        By phone at telephone: 0303 123 1113, Textphone: 01625 545860 Monday to Friday, 9am to 4:30pm.

        Live chat

        For more information go here

        EU GDPR General Data Protection Regulation complaint - DataClaim

        In EU or EA countries, you can submit a data breach complaint to National Data Protection Authority

        Submit a claim against the company to claim compensation. This is where DataClaim comes to help. You can submit a request for free evaluation of your case to check eligibility to claim compensation.

        Submit a complaint to your national Data Protection Authority in your country in the EU or EEA. Friendly reminder that EU GDPR also applies in all EEA countries.

        European Data Protection Supervisor

        Rue Wiertz 60, 1047 Bruxelles/Brussel, Office: Rue Montoyer 30, 6th floor

        Tel. +32 2 283 19 00 / Fax +32 2 283 19 50

        email: [email protected]

        Member: Mr Wojciech Wiewiórowski, European Data Protection Supervisor

        Data breached? You might have a right to compensation - up to €1,000. It is easy, just submit a free request.SUBMIT FREE REQUEST

        Austria: Österreichische Datenschutzbehörde

        Barichgasse 40-42, 1030 Wien

        Tel. +43 1 52152 2550

        email: [email protected]

        Member: Dr Andrea JELINEK, Director

        Belgium: Autorité de la protection des données - Gegevensbeschermingsautoriteit (APD-GBA)

        Rue de la Presse 35 – Drukpersstraat 35, 1000 Bruxelles - Brussel

        Tel. +32 2 274 48 00 / Fax +32 2 274 48 35

        email: [email protected]

        Member: Mr David Stevens, President

        Bulgaria: Commission for Personal Data Protection

        2, Prof. Tsvetan Lazarov blvd., Sofia 1592

        Tel. + 359 2 915 3580 / Fax +359 2 915 3525

        email: [email protected]

        Member: Mr Ventsislav KARADJOV, Chairman of the Commission for Personal Data Protection

        Croatia: Croatian Personal Data Protection Agency

        Selska Cesta 136, 10000 Zagreb

        Tel. +385 1 4609 000 / Fax +385 1 4609 099

        email: [email protected]

        Member: Mr Anto RAJKOVAČA, Director

        Cyprus: Commissioner for Personal Data Protection

        1 Iasonos Street, 1082 Nicosia

        P.O. Box 23378, CY-1682 Nicosia

        Tel. +357 22 818 456 / Fax +357 22 304 565

        email: [email protected]

        Member: Ms Irene LOIZIDOU NIKOLAIDOU, Commissioner for Personal Data Protection

        Czech Republic: Office for Personal Data Protection

        Pplk. Sochora 27, 170 00 Prague 7

        Tel. +420 234 665 111 / Fax +420 234 665 444

        email: [email protected]

        Member: Ms Ivana JANŮ, President

        Denmark: Datatilsynet

        Carl Jacobsens Vej 35, 2500 Valby

        Tel. +45 33 1932 00 / Fax +45 33 19 32 18

        email: [email protected]

        Member: Ms Cristina Angela GULISANO, Director

        Estonia: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

        Tatari 39, 10134 Tallinn

        Tel. +372 6828 712

        email: [email protected]

        Member: Ms Pille Lehis, Director General

        Finland: Office of the Data Protection Ombudsman

        P.O. Box 800, FI-00531 Helsinki

        Tel. +358 29 56 66700 / Fax +358 29 56 66735

        email: [email protected]

        Member: Mr Reijo AARNIO, Ombudsman

        France: Commission Nationale de l'Informatique et des Libertés - CNIL

        3 Place de Fontenoy, TSA 80715 – 75334 Paris, Cedex 07

        Tel. +33 1 53 73 22 22 / Fax +33 1 53 73 22 00

        Email: N/A

        Member: Ms Marie-Laure DENIS, President of CNIL

        Germany: Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit

        Husarenstraße 30, 53117 Bonn

        Tel.: +49 228 9977990 / Fax: +49 228 997799 5550

        email: [email protected]

        Member and joint representative: Mr Prof. Ulrich KELBER Federal Commissioner for Data Protection and Freedom of Information

        The competence for complaints is split among different data protection supervisory authorities in Germany, the link to the list is below (in Sources).

        Greece: Hellenic Data Protection Authority

        Kifisias Av. 1-3, PC 11523, Ampelokipi Athens

        Tel. +30 210 6475 600 / Fax +30 210 6475 628

        email: [email protected]

        Member: Mr Konstantinos Menoudakos, President of the Hellenic Data Protection Authority

        Hungary: Hungarian National Authority for Data Protection and Freedom of Information

        Szilágyi Erzsébet fasor 22/C, H-1125 Budapest

        Tel. +36 1 3911 400

        email: [email protected]

        Member: Dr Attila PÉTERFALVI, President of the National Authority for Data Protection and Freedom of Information

        Ireland: Data Protection Commission

        21 Fitzwilliam Square, Dublin 2, D02 RD28, Ireland

        Tel. +353 76 110 4800

        email: [email protected]

        Member: Ms Helen DIXON, Data Protection Commissioner

        Italy: Garante per la protezione dei dati personali

        Piazza di Monte Citorio, 121, 00186 Roma

        Tel. +39 06 69677 1 / Fax +39 06 69677 3785

        email: [email protected]

        Member: Mr Antonello SORO, President of Garante per la protezione dei dati personali

        Latvia: Data State Inspectorate

        Blaumana str. 11/13-15, 1011 Riga

        Tel. +371 6722 3131 / Fax +371 6722 3556

        email: [email protected]

        Member: Ms Jekaterina Macuka, Director of Data State Inspectorate

        Lithuania: State Data Protection Inspectorate

        A. Juozapaviciaus str. 6, LT-09310 Vilnius

        Tel. + 370 5 279 14 45 / Fax +370 5 261 94 94

        email: [email protected]

        Member: Mr Raimondas Andrijauskas, Director of the State Data Protection Inspectorate

        Luxembourg: Commission Nationale pour la Protection des Données

        1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette

        Tel. +352 2610 60 1 / Fax +352 2610 60 29

        email: [email protected]

        Member: Ms Tine A. LARSEN, President of the Commission Nationale pour la Protection des Données

        Malta: Office of the Information and Data Protection Commissioner

        Second Floor, Airways House, High Street, Sliema SLM 1549

        Tel. +356 2328 7100 / Fax +356 2328 7198

        email: [email protected]

        Member: Mr Saviour CACHIA, Information and Data Protection Commissioner

        Netherlands: Autoriteit Persoonsgegevens

        Bezuidenhoutseweg 30, P.O. Box 93374

        2509 AJ Den Haag/The Hague

        Tel. +31 70 888 8500 / Fax +31 70 888 8501

        Member: Mr Aleid WOLFSEN, Chairman of the Autoriteit Persoonsgegevens

        Poland: Urząd Ochrony Danych Osobowych (Personal Data Protection Office)

        ul. Stawki 2, 00-193 Warsaw

        Tel. +48 22 531 03 00 / Fax +48 22 531 03 01

        email: [email protected]; [email protected]

        Member: Mr Jan NOWAK, President of the Personal Data Protection Office

        Portugal: Comissão Nacional de Protecção de Dados - CNPD

        Av. D. Carlos I, 134, 1º, 1200-651 Lisboa

        Tel. +351 21 392 84 00 / Fax +351 21 397 68 32

        email: [email protected]

        Member: Ms Filipa CALVÃO, President, Comissão Nacional de Protecção de Dados

        Romania: The National Supervisory Authority for Personal Data Processing

        B-dul Magheru 28-30, Sector 1, BUCUREŞTI

        Tel. +40 31 805 9211 / Fax +40 31 805 9602

        email: [email protected]

        Member: Ms Ancuţa Gianina OPRE, President of the National Supervisory Authority for Personal Data Processing

        Slovakia: Office for Personal Data Protection of the Slovak Republic

        Hraničná 12, 820 07 Bratislava 27

        Tel.: + 421 2 32 31 32 14 / Fax: + 421 2 32 31 32 34

        email: [email protected]

        Slovenia: Information Commissioner of the Republic of Slovenia

        Dunajska 22

        1000 Ljubljana

        Tel. +386 1 230 9730

        Fax +386 1 230 9778

        email: [email protected]

        Member: Ms Mojca PRELESNIK, Information Commissioner of the Republic of Slovenia

        Spain: Agencia Española de Protección de Datos (AEPD)

        C/Jorge Juan, 6, 28001 Madrid

        Tel. +34 91 266 3517

        Fax +34 91 455 5699

        email: [email protected]

        Member : Ms María del Mar España Martí, Director of the Spanish Data Protection Agency

        Sweden: Datainspektionen

        Drottninggatan 29, 5th Floor, Box 8114, 104 20 Stockholm

        Tel. +46 8 657 6100 / Fax +46 8 652 8652

        email: [email protected]

        Member: Ms Lena Lindgren Schelin, Director General of the Data Inspection Board

        The European Economic Area (EEA) countries, Iceland, Lichtenstein, Norway contacts below

        Iceland: Persónuvernd

        Rauðarárstígur 10, 105 Reykjavík

        Tel: +354 510 9600

        email: [email protected]

        Ms Helga Þórisdóttir, Commissioner

        Liechtenstein: Data Protection Authority, Principality of Liechtenstein

        Städtle 38, 9490 Vaduz, Principality of Liechtenstein

        Tel. +423 236 6090

        email: [email protected]

        Member: Dr Marie-Louise Gächter, Commissioner

        Norway: Datatilsynet

        Tollbugata 3, 0152 Oslo

        Tel +47 22 39 69 00

        email: [email protected]

        Member: Mr Bjørn Erik THON, Director-General

        If you have received a data breach notice or your data has been compromised or you noticed suspicious activity, this indicates that you are likely a victim of data breach and you may be entitled to compensation. Please let us know, so we can investigate this for a potential compensation claim.

        Data breached? Submit a claim now risk-free to get compensation - up to $750CLAIM NOW RISK-FREE



          Leave a comment

          Only registered users can post comment

          4,6 out of 5