In 2020, over 155 million people were affected by data exposure. It is an increasingly indisputable fact that data breaches are becoming a common feature of our network-connected lives. Even daily tasks such as grocery shopping or checking social media carry with them the risk of having important private information stolen.
If a person thinks they are impervious to having their personal data exposed, a look at recent headlines may convince them otherwise. Big-name corporations such as Uber, British Airways, Nintendo, Marriott, Yahoo, LinkedIn, Facebook, Wendy’s fast-food restaurant, and retail giant Target have been victims of public, large-scale incidents of data breach affecting millions of customers.
What Is a Data Breach?
A data breach, or data leak, is the intentional or unintentional release of secure information to an unknown environment. In this situation, information is stolen or otherwise extracted from an organization, usually a company, without authorization. The data may be used for various purposes.
Healthcare is the most common industry in which data breaches occur. Organizations particularly susceptible to data leak include hospitals, nursing homes, private practices, health insurance companies, university-affiliated medical centers, and mobile apps used by healthcare systems and their patients. But the healthcare industry is not alone in its vulnerability to data breach. Behind healthcare at number one, government, retail, manufacturing, education, and financial industries all rank highly as potential targets.
A data breach is the release of confidential information which may pertain to an organization, group, company, or individual. “Data” is a wide term, but in the case of data breach it most commonly refers to the following types of sensitive information:
- Credit or debit card data
- Financial/bank account numbers
- Account login credentials
- User passwords
- Social security numbers
- Confidential business records
- Names and birthdates
- Addresses and phone numbers
- Email accounts
- Medical records
- Tax histories
- Passports and driver’s license numbers
Causes of a Data Breach
Many people think of a data breach as the result of a malicious cyber-attack by a hacker. Hacking does, in fact, account for over half of data breaches, but there are many other ways information can be released, some of them far less pernicious and some quite preventable.
- Hacking. The stereotypical image of a single hacker hunched over a screen is ubiquitous, but physical threats of breaking and entering are just as real as virtual ones.
- Malware. “Malicious software” is designed to probe systems and cause harm. Ransomware, which disables systems and demands a ransom for their release, is also a danger, especially to large businesses, organizations, and government bodies.
- Ineffective Security Measures and Vulnerable Software. Holes and weak spots in an organization’s network invite disaster. Cybercriminals are skilled in reconnoitering systems and targeting points at which it is possible to extract data or introduce malware.
- Improper Disposal Practices. One way information is leaked in when documents, equipment, or data storage devices are discarded without being properly cleaned, shredded, emptied, or wiped.
- Employee Negligence. This can include weak passwords, leaving login information out in the open, sharing account data, not adequately protecting sensitive data, leaving laptops or other devices open in public, or responding to phishing scam emails (fraudulent emails which seem legitimate, but encourage the recipient to open or download malware).
- Employee Misconduct. Some breaches result from ignorance or carelessness, but others from willfully malicious actions. Whether for profit-seeking or other reasons, a current or former employee may choose to use inside information to infiltrate and harm the network of an organization.
Data Breach Research Findings
Recent information on the prevalence, characteristics, and ramifications of data breaches can be found in published studies such as the Ponemon Cost of a Data Breach Report put out by IBM and the NetDiligence Cyber Claims Study. The following statistics give some insight into the occurrence of data breaches:
- The average time to identify and contain a breach is 280 days.
- The average cost of a data breach in the U.S. is $3.86 million.
- The United States is the country with the highest cost per incident of breach.
- Hacking accounts for over half of data breaches.
- Working remotely due to COVID-19 increased the time to detect and contain breaches.
- Remote work heightened vulnerability, and online scams exponentially increased.
- The average settlement amount for a data breach lawsuit is over $250,000.
Many people do not realize the legal implications of data breaches. There are firstly the legal obligations which follow a breach incident; target victims must comply with federal and state laws to give notice of the breach and adhere to mandatory regulations. In 47 U.S. states, plus Washington D.C., legislation requires the breached organization to notify affected individuals and follow specified protocol. The Federal Trade Commission (FTC), as well as state governments, require that various measures be taken after a breach occurs. For example, actions such as forensic investigations, notification of law enforcement, updating credentials, and preserving evidence are necessary.
Secondly, there are legal implications relevant to the individuals affected by a data breach. In most cases, it is extremely difficult to prosecute a cybercriminal who caused a breach and released confidential data. Under certain circumstances, it is possible to take legal action against the company or organization possessing the data when the breach occurred, if negligence on the part of the company and specified damages incurred on the part of the plaintiff can be shown.
A data breach lawsuit may be a large class action or filed by a single individual. In past cases, plaintiffs have sought damages for unauthorized use of finances, harm to personal credit, investigation charges, anxiety and emotional distress, and increased risk of future harm, among other damages. In this nascent and rapidly-developing field of law, cases often hinge upon whether it can be proven that victims have suffered actual injury and cognizable damages as a result of the data breach. Plaintiffs are often challenged to demonstrate a cognizable injury, which can be difficult to show in data breach cases.
Legislation for this somewhat murky area continues to evolve, and lawyers need expertise in information technology, data leaks, personal information protection, intellectual property rights, and emerging information and relevant legislation to stay knowledgeable and successfully represent clients whose personal information has been exposed. Without full awareness of the appropriate legal procedures to seeking compensation after a data breach, victims may be at a disadvantage to recover the losses they incurred.
If your personal data has been exposed during a breach, reach out to a qualified attorney as soon as possible to discuss your circumstances. Those who have been affected by a data breach may be eligible to file or take part in an existing lawsuit. If you have questions and want to learn more about your rights and options, get in touch with one of our attorneys at The Solomon Law Group. Our firm may be able to help you.