Holding Companies Accountable When They Allow a Breach of Your Personal Data

By Truong Pham

Understanding Data Breach

A data breach is the unauthorized access or disclosure of sensitive or confidential information by a third-party. This unauthorized access can occur through various means, including cyberattacks, inadequate data security practices, vulnerabilities in third-party systems and software, ransomware, malware, and phishing.

Data breaches are motivated in part by financial gain. In some instances, hackers gain unauthorized access to vulnerable computer systems or networks to steal sensitive information, personal information, or financial information belonging to individuals whose data is stored within. Information stolen as a result of a data breach can be used for malicious purposes, such as identity theft or sold on the dark web in exchange for currency.

Residents of California may recover for damages arising from a data breach involving their personal information.

What is Personally Identifiable Information

Personally Identifiable Information or PII stored on a computer system or network is typically the target of a data breach. The California Consumer Privacy Act (“CCPA”) defines personal information as information that identifies, relates to, or could reasonably be linked with an individual or an individual’s household. For example, personal information or sensitive personal information could include an individual’s name, address, social security number, email address, driver’s license number, passport number, or other identifiers.

Have You Received a Data Breach Letter?

In California, the law requires businesses and state agencies to notify any California resident whose unencrypted personal information was acquired or reasonably believed to have been acquired, by an unauthorized person. This notification must be made by a business or state agency following a data breach and must be made without unreasonable delay.

A Notice of Data Breach letter is required under California law following a data breach and is meant to inform consumers whose personal information was involved in the breach of the following information: (1) “What Happened,” (2) “What Information Was Involved,” (3) “What We Are Doing,” (4) “What You Can Do,” and (5) “For More Information.”

California Consumer Privacy Act (“CCPA”)

Under the CCPA, businesses that collect consumers’ personal information are required to implement reasonable security practices and procedures to protect this information.

Business and Consumer Defined

The CCPA defines a business as a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners. A consumer is defined as a person who is a California resident.

Remedies Under the CCPA

Consumers whose personal information was involved in a data breach may bring a private right of action to recover damages and injunctive or declaratory relief. Statutory damages under the CCPA are no less than $100 and no more than $750 per consumer per incident or actual damages, whichever is greater. (See Civ. Code § 1798.150.)

Notice Requirement

However, prior to filing a claim for damages, a consumer must provide a business with 30 days written notice of the violations and an opportunity to cure the violations that led to the breach. (See Civ. Code § 1798.150.)

Of course, residents of California are not strictly limited to recovery under the CCPA. In fact, victims of data breaches may be entitled to financial compensation among other remedies available under various consumer protection statutes and laws in California.

Data Breach Class Actions

Data breach lawsuits are oftentimes brought as a class action by a representative plaintiff (usually a victim of the data breach) on behalf of a class of individuals who have been similarly affected by a data breach. These individuals often share a common set of circumstances, such as having their personal information accessed, used, or exposed by an unauthorized third-party.

Due to the nature of class actions and the amount of class members involved, a class action lawsuit is one example of creating systemic change in the way a business or state agency collects, secures, encrypts, or safeguards its members’ personal information.

Class actions require counsel who can competently and adequately represent the interests of the class. At Arns Davis Law, our class action attorneys have considerable experience litigating complex class actions in both state and federal courts. In addition, our class action attorneys have been appointed class counsel on numerous complex class actions in both state and federal courts.

The MOVEit Breach and How We Can Help

In May 2023, hackers exploited a vulnerability in the MOVEit software file transfer tool to access sensitive and confidential information belonging to various organizations and individuals including financial institutions, colleges, health care organizations, and public pension funds.

As a result of this breach, over 2,000 organizations and over 60,000,000 individuals have had their information exposed.

At Arns Davis Law we are dedicated to fighting for your rights. If you believe you’ve been a victim of the MOVEit data breach or any other breach, please contact our data breach attorneys today to schedule a free consultation.

Practice Areas
Client Testimonials

I felt as if Mr. Arns and I had known one another for years his representation was concern for my well being with the pursuit of justice as well as compassion ,if you want to be treated like a human being not a pay check go and see Mr. Arns and his firm, you’ll leave with a smile on your face and equality in you’re heart

A. F.

Google Review

The only one law firm that cares for injured people. Thanks to this lawyers l got what l should gotten nine years ago they are the best in the bay area. Thank you and God bless you guys.

R. R.

Google Review