Anton Radchenko

2020-05-19

7 minutes read

Consumer Step by Step Guide: What to do when data breach happens.

We all know data breach happens now more often than even before leaving data of millions of people compromised. While this topic is widely covered by media and different publications, very little advice is given to regular people as to what to do and how to protect yourself if you are a victim of data breach or identity theft.

To answer this question it is important to identify all the facts of the breach, because it will determine what you should do in such a case. These should include the following:

To identify which company exactly has suffered a data incident
Important to confirm the data breach actually happened.
To determine the country / state where data breach occurred and the country / state of the company's headquarters
Check if your home country or state laws provides a better data privacy protection
What is the nature of the breach and was any of your sensitive information compromised?
Did you suffer from an identity theft because of a data breach or not yet?
Checklist of what to do when a data breach happens.

In this article, we’ll cover a few types of data breaches to show how sensitive information can be compromised and our advice on what you should do in each scenario, so continue reading.

To identify which company exactly has suffered a data breach.

Today when you entrust your personal data to any organization or company, can be accessed by multiple more organizations, such as website hosting providers, marketing email providers or facilitators, CDN providers, platforms used for (re)marketing purposes such as Google, Facebook, Twitter and many more. This list might go on and on. So when a data incident happens, the way it is identified may not be 100% of the time telling the exact source of the data leak.

For example if the company did internal monitoring and flagged suspicious activity or security lookhool that was exploited, good news at least this is clear the source of the data leak. But sometimes news will pick up a story about a dataset dumped on a dark web and offered for sale. In this case, it is far from clear what is exactly the source of information. Yes, it is likely the company who has those user base as their clients, but it might be a different company, who is just a service provider who is a processor of information. Another scenario that might happen is that hackers can use security breach in order to tap into another company's systems and database.

So as you see giving an answer to this simple question can be quite complex. Once a data breach source is identified, the concerned organization will inform its customers that might potentially be affected and will initiate investigation into the root cause of the data incident. This information might become known when any of the companies respond with data breach notice and many times publish it on their website, as organizations are required by law to promptly report on data breaches and notify its customers. Each state in the USA has such a Data breach notification law, so does the UK and EU member countries.

Online Privacy and Security lock shield - DataClaim

Get a confirmation that data breach actually happened.

As you now know, data breach laws require companies to give a notice about data incidents. If you received email about a data breach, well this might be a legitimate email notice from the company, or it might be a phishing attack by hackers impersonating the company in order to get more personal information. So we advise you to check the company's official website for notice of breach, or write to the company official email address (by creating a new email). You should typically see a privacy notice or privacy policy link in the footer on any website, that page will have details for contacting organizations on privacy issues. Once breach is confirmed, it is important to get more information about its nature and potential affect on you.

It is sometimes useful to understand what type of a data breach happened. It can be a simple:

cybersecurity breach (aka hack),
data leak (aka unauthorized disclosure) by insider (employee reckless or negligent wrongful accidental disclosure or destruction of information) or by outside perpetrators.

Did you have a data breach? You might have a right to compensation - up to $750CHECK COMPENSATION FOR FREE

Determine the country or state where data breach occurred and the country or state of the company's headquarters.

In today’s world of cloud computing and multiple services involved to enhance user’s experience, your data can be stored and accessed from multiple different locations. So determining the country where breach occurred might not be the easy task and sometimes companies use multiple different servers and breach may have international nature (can happen in few countries). This usually will be identified in the process of internal investigation by the company or as part of external investigation by the regulators.

Alternative scenario is to understand which company specifically suffered a breach and where such organization is located or registered. Some businesses operate globally under one brand umbrella based on a franchising model. In such cases each country's business is typically separately owned and controlled and might not be part of global headquarters. So depending if it is one vertically integrated and controlled business or a chain of different businesses, might affect how and where compensation can be claimed.

Above information may be useful to establish the best possible jurisdiction for making a consumer claim for compensation and which authorities to submit a complaint to.

In case domestic laws of the country when breach occurred has better consumer privacy protections in place then the country of your residency. Example, if you are a resident of New York, state which at the time of writing has not specifically allowed private right to action for compensation, and you have suffered from a British Airways data breach in the UK, you will enjoy a better data protection regime in the UK that allows you to claim compensation for such data breach.

Check if your home country or state laws provides a better data privacy protection

Your privacy rights are regulated by your home country or state law where you are a resident of. Privacy is regulated differently and your rights largely depends on current privacy laws:

If you are a resident of California you can benefit from CCPA privacy law.
If you are a resident of the UK, you can enjoy vast data protection rights under UK GDPR, which include the right to claim compensation.
If you are a resident of any country that is part of the EU or EEA, you are lucky to have the EU GDPR global data protection regime, which is the best international standard that favours individual’s privacy and provides the right to claim compensation.

So check if you can take advantage of some of the best current privacy regulations world wide.

Consumers Data Privacy Identity - DataClaim

What is the nature of the breach and was any of your sensitive information compromised?

Early on when data leak happens, organizations typically have limited information about underlying security breach and its nature. However, depending on the company's privacy policies and procedures, many times an organization can tell which information was encrypted or not affected at all. This is not a guarantee, but a helpful information. While some companies are more honest about data breach and tell true information to its customers, others are secretive and dishonest. Some go beyond that offering money to hackers to silence information about a data breach, which likely be a lot more expensive for any organization to deal with. So whatever company is telling its customers in data breach notice is preliminary information and might be not true at all.

So what to do in this case? Well, we advise you to check what types of information you shared with such an organization, i.e. did you share any sensitive information. Sensitive information is defined very differently in different countries and even each state in the US will have a different approach. Typically, it will include:

Sensitive health information (mental problems, HIV or other disease information, etc)
Financial or bank information, such as bank account details, account statements (while most companies do not store credit card information and it is usually processed by third parties)
Passport, driver license, iD details, social security number. While credit card information may seem like a big deal, credit or debit card can easily be reissued with new details. However, a social security number cannot be changed and can be used by bad actors in many different ways.
Biometric personal information: finger prints, face image recognition, your bodily measurement, etc.
Any info about sex life or dating information (such as dating information or membership at some peculiar sex clubs or website of interest)
Any personal information of minor children.
Any criminal, civil or other court records or information about it
Any other non-public sensitive information that might compromise you or subject you to discrimination

If you shared any of the above information, first ask the organization if this information was stored in encrypted form, second was information accessible though that security breach, and third was any of the above compromised. Often organizations would separate sensitive information from another personal information and have it in encrypted form to reduce risks of all information getting compromised in case of security breach.

Some of the above sensitive information may allow bad actors to impersonate you and rent or buy properties, apply for employment benefits, file fake tax returns, and commit other illegal acts under your name. If a data leak affected you, or may have enabled access to sensitive information, it is better to play safe and do more that needs to be done if compared to regular data breach to reduce risks known and unknown but potential risks that have not yet materialised. Once you know the nature of a data breach, you can move to the next step.

Did you suffer from an identity theft because of a data breach or not yet?

If you suffered anything as a result of a data breach, this can include:

Economic losses: if somebody took out loans, rented a car, extended a credit, wrongfully filed taxes, etc.
Lost ability or affected your ability to do business, borrower money, retain customers, lost earnings potential (lost job), loss of future business.
Out of pocket expenses (OPE): any expenses to monitor account or make necessary changes.
Unfair discrimination or treatment.
keep receipts and track all expenses to be reimbursed. Typically, companies will reimburse reasonable OPE within the bracket of $20,000.

Keep in mind that according to some recent surveys only 1 out of 5 people are notified about data breach or know their data has been compromised, so a large number of data breaches continue to be exploited for a few months, sometimes years. Importantly, on average every third person would experience identity theft, fraud or some form of a real loss, which can happen within anywhere from 6 to 24 months following data breach. So part of the question would mean what to do to identify any identity theft or fraud timely, and steps to avoid negative affect on your personal or professional life and prevent any losses to occur.

Checklist of what to do when a data breach happens.

First, regardless of type of data breach, you should consider doing this:

Track any expenses or losses you may face. Keep receipts and records.
If the concerned company offers you any credit or fraud monitoring and/or identity theft protection - consider accepting it, only if that does not require you to waive any rights to bring claims for compensation or losses.
Change login and password details (including security Q&A). Hackers know most people use the same passwords across the board.
Start using double authentication at least for email and critical accounts, if not for all your accounts.
Submit a request for free evaluation of your case to check if you have the right to claim compensation. Depending on the circumstances and the country/state of your residency data breach compensation can reach $750 in the US and up to €1,000 or £1,000 even if you have not suffered economic losses. In serious cases, compensation amounts can be much higher.

If your online account credentials were compromised, we suggest you should do the following:

Log in to that account and change your password. If possible, also change your username and security questions.
Set up double authentication (using your secured telephone).
If you can’t log in, contact the organization as soon as possible. Ask them how you can recover, freeze or shut down the account (ideally downloading information the company had on you, so you have a good understanding of what information may have been compromised), as fits your circumstances.
If you use the same password elsewhere, change that login credential there too.
If access to your email inbox was compromised, than you might have to do a heavy duty exercise, which includes:
- checking an access log (to see who and when accessed the account).
- If an email account was accessed, to request the company to trace any user session recordings on your account unauthorized sessions. Many organizations record users' behaviour on site for analytics and improvements. This may be a good point to start to identify what if anything was done with your inbox.
- Depending on these results, your further actions will be different and the organization must offer help you to track fraud, online identity theft. A lot depends on your prompt actions to mitigate and prevent. At minimum do the maximum you can do as per this checklist and depending on your case it might be worth to check with lawyers on any issues that arise.

If you had a bank or financial data breach:

Contact your bank or credit card company to
- cancel your card and request a new one.
- put an alert for the bank account record, so bank is alerted to tracks your activity more closely, or put a freeze on your account, or
- Ideally, close the account and open a new account.
Check your account for any charges that you don’t recognise.
Monitor your account for any new activity, new products or services requested.
Check to make sure your personal account details are correct and up to date, including telephone number, email, address details, security questions. Consider changing them if you think that information may be at risk.
If you have recurring subscription payments, update your payment method with a new card or otherwise.
Check your credit report at annualcreditreport.com

if your US Social Security number was compromised.

As this happened in recent credit reporting agency's data breach, your identity theft risks are really high. And you should do the following as per the FTC recommendations:

If the company responsible for a data breach offers you free credit monitoring, take advantage of it, but do it without waiver of your rights.
Obtaining your free credit reports from AnnualCreditReport.com to look for activity you don't recognize. You can request a free report from any of the credit reporting companies once a year.
Consider a credit freeze for your accounts with the three major credit report agencies. This will make it more difficult for bad actors to open a new account under your name.
If you decide not to place a credit freeze, seriously consider placing a fraud alert at minimum.
File your taxes early, before bad actors use the opportunity to use your exposed Social Security number to file a fraudulent tax return to get a tax refund or a job. Promptly respond to any letter from the IRS.
Don’t believe anyone who calls and says you’ll be arrested unless you pay for taxes or debt even if they're from the IRS, they are likely not. You may ask for an official government email (must have .gov) or office number and reach back for clarifications.

If your ID or driver's license number was compromised.

You should contact your local Division of Motor Vehicles to apply for a duplicate and/or flag your number to catch anyone trying to use it.
Submit a claim for compensation with DataClaim. Click check compensation to submit a request for a free evaluation of your case. Please include as much information as possible, so we can carefully review your case to determine if you may be eligible to claim compensation.
Submit a complaint about data breach or identity theft to a regulator or authorities

Submit a request for free evaluation of you case. You might be eligible to claim up to $750 in compensationSUBMIT A FREE REQUEST

You can also submit a data breach complaint to regulators and authorities for investigation and enforcement.

You may also submit a complaint about your data breach or identity theft to regulators to investigate this further and penalize the company.

If you are from the United States, the US Federal Trade Commission accepts data breach or identity theft complaints:

call at 1-877-FTC-HELP (1-877-382-4357) or call 1-877-438-4338
Report it online here identitytheft.gov
Consider submitting a report to other Federal Government Agencies that might be concerned (see a list of relevant contacts)

You can also submit a complaint to state and local enforcement authorities:

Attorney General office in your state.
Local police department. Take with you
- a copy of your FTC Identity Theft Report
- State photo ID
- proof of your address (rental contract or utilities bill)
- any other proof you have of identity theft (bills, IRS notices, etc.)
- FTC's Memo to Law Enforcement (can see screenshot and download as attachment below)

US FTC's identity theft Memo to Law Enforcement

In UK, you can submit a data breach complaint to ICO:

By email to [email protected]

By phone at telephone: 0303 123 1113, Textphone: 01625 545860 Monday to Friday, 9am to 4:30pm.

Live chat https://ico.org.uk/global/contact-us/live-chat/live-chat-individuals/

For more information go here

In EU or EA countries, you can submit a data breach complaint to National Data Protection Authority

Submit a claim against the company to claim compensation. This is where DataClaim comes to help. You can submit a request for free evaluation of your case to check eligibility to claim compensation.

Submit a complaint to your national Data Protection Authority in your country in the EU or EEA. Friendly reminder that EU GDPR also applies in all EEA countries.

European Data Protection Supervisor

Rue Wiertz 60, 1047 Bruxelles/Brussel, Office: Rue Montoyer 30, 6th floor

Tel. +32 2 283 19 00 / Fax +32 2 283 19 50

Consumer Step by Step Guide: What to do when data breach happens