Ronald Allen of Oklahoma is one of many individuals who experienced significant hardship in 2022 following a data breach at Samsung, involving the theft of customer data such as names, email addresses, and birthdates.
Following notification of the breach, Allen reported an attempt to open an account in his name. A bank alerted him to his credit card information appearing on the Dark Web. He subsequently spent considerable time canceling accounts, disputing charges, and updating passwords. He now dedicates a significant portion of his weekly time to monitoring his financial accounts for unauthorized activity.
The ensuing lawsuit alleged that a series of data breaches revealed inadequate security measures. However, attempts to hold Samsung accountable proved unsuccessful. In a January 3rd ruling, New Jersey District Judge Christine O’Hearn stated that the plaintiffs failed to demonstrate direct harm resulting from the data breach. Judge O’Hearn reasoned that data theft is commonplace, making it impossible to definitively link Allen’s or others’ compromised identities to this specific breach.
In legal filings, Samsung argued that the absence of stolen Social Security numbers and credit card numbers, coupled with the impossibility of proving malicious use of the leaked data, negated the plaintiffs’ case. The company’s lawyers argued in a motion to dismiss that, “A court must dismiss a data breach class action where the Plaintiffs fail to ‘adequately allege’ damages ‘stemming from a data breach.’”
Incidents like the Samsung data breach are increasingly prevalent as individuals and companies store more data online. According to a report by the Identity Theft Resource Center (ITRC), 2024 saw 3,158 data breaches—a 70% increase from 2021—resulting in nearly 1.7 billion notifications to potentially affected individuals.
ITRC data indicates six megabreaches in 2024, each affecting at least 100 million individuals. The ITRC further suggests that four of these megabreaches could have been prevented through the implementation of multi-factor authentication. Optum, a UnitedHealth subsidiary, acknowledged this in a May 2024 congressional hearing.
Each data breach increases the likelihood of subsequent breaches. Hackers leverage stolen personal information to gain access to other company systems, triggering further breaches. This likely contributes to the surge in data breaches. However, many compromised companies face minimal consequences.
While publicly traded companies and those subject to federal regulation face penalties for data breaches, the ITRC reports that only about 7% of all breaches involve publicly traded companies. A lack of national legislation governing other organizations’ response to breaches exists. “We don’t have an actual privacy law, or any uniform, minimum standards,” notes James Lee, president of ITRC.
Upon discovering a data compromise, companies are not always obligated to inform affected customers. State laws dictate the required actions, and in many states, companies can determine the risk to individuals. If deemed negligible, notification is not mandatory. Even if notices are sent, the company often controls the content, potentially omitting details about the breach method or specific stolen information.
Customer notifications offer limited practical assistance. Credit freezes and account monitoring are possible, but compensation for time lost or financial losses due to data compromise requires legal action. Successfully suing for financial relief is challenging, Lee explains, as plaintiffs must prove direct harm from the breach. The multiplicity of attacks makes pinpointing the source of individual problems almost impossible.
Consequently, few companies face significant financial accountability for data breaches. Florida even has a law shielding companies from data breach lawsuits if they demonstrate compliance with specific security protocols.
Security experts highlight readily implementable measures to protect information—measures frequently neglected by companies. These include multi-factor authentication, regular password changes for employees, and ensuring vendor security protocols.
“It’s a bit of a cycle where prior breaches fuel future breaches,” observes Aaron Cookstra, a director at Aon Cyber Solutions’ threat intelligence team. “But we don’t see companies consistently taking the necessary steps to prevent this from becoming a recurring problem.”
Lee of the ITRC advocates for a national privacy law establishing minimum cybersecurity standards and outlining companies’ obligations following data breaches. While establishing such standards is challenging due to the evolving sophistication of hacking techniques, Lee contends that simply mandating proactive measures would constitute a significant improvement.
“`