Data Breaches: Your Rights and Responsibilities

What are your rights in a data breach? Learn what to do if hackers steal your personal information.

By , Attorney University of Denver Sturm College of Law
Updated 6/04/2024

Data breaches have become all too common and can happen in many ways. Hackers might steal your personal information from a corporate server, your information might be inadvertently exposed on a company's website, or a company insider might steal your confidential data.

If your personal information was part of a data breach, you should understand your rights and the steps you must take to protect yourself.

What Is a Data Breach?

A "data breach" is when an unauthorized person illegally accesses your confidential, personal, or protected information. Exactly what is considered personal information depends on state law but usually includes your full name along with one or more of the following pieces of information:

  • your Social Security number
  • your driver's license number or state-issued identification card number
  • a credit or debit card number or an account number, including, in some cases, a security code, access code, password, or personal identification number (PIN)
  • your email address and password, or
  • your medical or biometric information.

Why Hackers Want Your Personal Information

Hackers often use stolen personal data for identity theft. With your personal information, a hacker can get new credit cards under your name (or use ones you already have), apply for loans in your name, or commit other kinds of financial fraud.

They can also impersonate you online, apply for government benefits, or file taxes and get a refund in your name. In some cases, a hacker might use your personal information to blackmail you.

Legal Obligations of Businesses to Protect Customer Data

In the United States, federal and state laws govern how companies must protect personal data.

Federal Laws Covering Data Breaches

A few of the federal laws covering this area include:

  • The Gramm-Leach-Bliley Act, which protects your personal financial information.
  • The Fair Credit Reporting Act (FCRA), which governs credit data and regulates how information in your credit reports can be used and accessed.
  • The Health Insurance Portability and Accountability Act (HIPAA), which protects private health information.
  • The U.S. Privacy Act of 1974, which governs the collection, maintenance, use, and dissemination of information about individuals that federal agencies keep in their records.
  • The Federal Trade Commission Act, which requires that companies making privacy promises (expressly or by implication) comply with to those claims

State Data Breach Laws

All 50 states and the District of Columbia have data breach laws to protect consumers. These laws generally require organizations to notify you if a data breach involving specific personal identifying information happens. (Some states also require companies to notify the state attorney general or a state agency after a breach.) To get a summary of these notification laws, go to the National Conference of State Legislatures website.

Several states also have laws specifically addressing consumer privacy. Some of these state consumer privacy laws include the California Consumer Privacy Rights Act (Cal. Civil Code § 1798.100 and following), the Colorado Privacy Act (Colo. Rev. Stat. § 6-1-1301 and following), the Connecticut Data Privacy Act, the Utah Consumer Privacy Act (Utah Code Ann. § 13-61-101 and following), and the Virginia Consumer Data Protection Act (Va. Code § 59.1-575 and following), among others.

In addition, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas enacted comprehensive consumer privacy laws in 2023. To learn about the laws in your state, talk to an attorney.

Other states are considering passing such laws. According to the National Conference of State Legislatures, many states introduced or considered consumer privacy bills in 2023. If you're concerned about privacy laws and the security of your data, demand that Congress and your state legislature pass laws to protect you.

Your Rights After a Data Breach

Under state privacy and data protection laws, you typically have the following rights.

  • Right to know. You often get the right to request that a company disclose the sensitive information about you that they collect, use, or disclose, as well as information about data practices.
  • Right to request a correction. Generally, you may ask that a company correct inaccurate personal information it has about you.
  • Right to opt out of targeted advertising and profiling. You may typically request that your personal information not be used for certain targeted advertising purposes.
  • Right to request a deletion. You have the right to request that a company delete the personal information it has collected from you.
  • Right to non-discrimination. You also usually get assurance that a company won't discriminate against you for exercising any of your rights.

Again, you have the right to be notified of a data breach. You also have the right to report a data breach to relevant authorities.

Keep in mind you don't have to give all your personal information to a third party in many circumstances, so don't. Also, don't unquestioningly accept a company's privacy policy without reading it. If you don't agree with a policy, don't accept it.

Data Breach: How to Spot Fraud

Victims of identity theft after a data breach often don't immediately realize that someone is using their information. Days, months, or even years later, you might get a call from a collection agency for a debt you don't recognize. Or an unfamiliar entry might turn up on your credit reports when you try to qualify for a home mortgage. You might even receive a court summons for a crime you didn't commit. Instances like these should alert you that you're probably the victim of identity theft.

To look for signs of identity theft, get copies of your credit reports from the three major credit bureaus. These are available weekly for free at www.annualcreditreport.com. Review your reports for fraudulent activity.

Also, don't ignore bills from people or companies you don't recognize. A bill on an account you don't know could indicate that an identity thief has opened an account in your name. Contact the company that sent the bill to find out.

Steps to Take If You're Affected by a Data Breach

If an identity thief steals your important personal information, like your Social Security number, you should take the following steps to limit the potential damage.

1. Place a Credit Freeze and Fraud Alert on Your Credit Files

If your sensitive information was exposed in a data breach, consider placing a credit freeze and fraud alert on your credit files. (Even if an identity thief isn't currently using your information to open new accounts, you don't know what might eventually happen with your stolen personal information.)

Placing a credit freeze on your credit reports. A credit freeze stops potential creditors from reviewing your credit reports to analyze your creditworthiness. Because creditors can't assess your credit status, a freeze stops an identity thief from opening new accounts under your name. Under federal law, placing or lifting a freeze on your credit files is free. To freeze your file with the three major credit reporting agencies (Equifax, Experian, and TransUnion), you must contact each agency.

Setting up a fraud alert. You might also consider putting a fraud alert on your credit files. With a fraud alert, a creditor must take additional steps to verify a person's identity after that person (or someone claiming to be that person) requests credit. Requesting a fraud alert at one of the three bureaus will automatically add it to the other two credit reporting agencies. An initial fraud alert will stay in place for a year.

If you do become a victim of identity theft and send a credit bureau an identity theft report (see below), you can request that it put an extended alert on your file. An extended alert stays in place for seven years.

Be aware that a fraud alert doesn't protect your credit as much as a credit freeze so if you're only going to use one of these options, it's best to freeze your files.

2. Fix Your Credit Reports

If you find accounts in your credit reports that result from identity theft, file disputes about those items with each credit reporting agency that shows the accounts. Include a copy of your identity theft report and proof of your identity, such as your name, address, and Social Security number.

If you don't have an identity theft report, you can still dispute information in your credit reports, but the process could take longer, and the credit bureaus might not remove the information.

3. Report the Identity Theft to the FTC at IdentityTheft.gov

After you find evidence of identity theft, report the theft online (at no cost) and get a recovery plan at the Federal Trade Commission (FTC) website IdentityTheft.gov. You can also get an identity theft report. Getting an identity theft report triggers some important legal rights that can help you recover from the theft. You may use the report to show creditors and businesses that you were the victim of identity theft.

You'll also get additional forms to deal with the consequences of identity theft and step-by-step guidance throughout the process. For instance, your recovery plan will explain what you need to do and the forms you'll need to take when you make your police report (see below).

To get more information about how to protect yourself if someone steals your identity or what to do after your personal information is compromised in a data breach, go to Identitytheft.gov's data breach section.

4. File a Police Report

If you find evidence of identity theft, contact your local police department and inform them that someone stole your identity and you want to file a report. Sometimes, law enforcement is reluctant to take an identity theft report because of a lack of resources to investigate the crime. You might need to show them the FTC's Memo to Law Enforcement.

You must make the report before taking advantage of numerous consumer protections. If you find yourself being turned away, politely but firmly insist on giving the report, even if the department has no intention of investigating the crime. Be aware that some states have laws that require the police department to take a report of identity theft. It helps to approach the police department in person or to call using the non-emergency number. Also, the department's website will likely provide helpful instructions, and you might be able to make your report online.

Then, get a copy of the report. You might need a copy of the report to complete other recovery steps.

5. Call the Companies Where the Identity Thief Opened New Accounts

Call the companies where the identity thief opened new accounts. When you call, ask for the fraud department and tell them that someone stole your identity. Ask the company to close or freeze the accounts so that no one can add new charges unless you agree. Be sure to change all your account logins, passwords, and PINS.

6. Change Your Passwords

Change your passwords for your banks, financial, and other accounts. Create strong passwords (for example, don't use your birthday or pet's name), and don't use the same password for every account.

Also, use two-factor identification, which requires you to use a secondary form of verification, such as a code sent to your phone, before accessing your accounts.

7. Notify Your Bank, Financial Institutions, and Others About the Theft

Contact your bank, other financial institutions, and creditors to alert them and to monitor your accounts for any fraudulent activities.

8. File Your Taxes as Soon as Possible

A hacker that gets your Social Security number might use it to get a tax refund. You can prevent this from happening by filing your taxes before the scammer does.

9. You Might Need to Take More Steps, Depending On Your Situation

Depending on your situation, you might also need to, among other things:

  • deal with tax-related identity theft
  • contact your utility companies
  • handle federal student loans that the thief took out in your name
  • prevent debt collectors from trying to collect debts that are the result of identity theft
  • clear up any criminal charges resulting from the identity theft, or
  • report the misuse of your Social Security number.

Can I Sue for a Data Breach?

If a company failed to protect you from a data breach, consider talking to a consumer protection attorney. A lawyer can identify any potential civil or criminal liability related to the breach, help you protect your rights, and possibly recover damages.

You might also consider talking to a lawyer if you need help straightening out your finances, dealing with debt collection agencies, or getting credit bureaus to remove fraudulent information from your credit reports after an identity thief opens new accounts in your name. An attorney can also advise you of all rights and the remedies available under federal and state law.

Talk to a Lawyer

Need a lawyer? Start here.

How it Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you
Get Professional Help

Talk to a Consumer Protection attorney.

How It Works

  1. Briefly tell us about your case
  2. Provide your contact information
  3. Choose attorneys to contact you