Answer FileConsumer Protection
What can I do after a data breach exposes my information?
Freeze your credit at all three bureaus — free under federal law — and watch accounts closely. California's CCPA gives consumers a private right of action under Civil Code section 1798.150 when unencrypted personal information is exposed through a business's failure to maintain reasonable security, with statutory damages available per consumer, per incident.
Defense first: place free security freezes with all three credit bureaus, change reused passwords, enable two-factor authentication, and treat post-breach emails and calls as presumptively phishing, since breach lists fuel targeted scams. California businesses must notify affected residents of a breach under Civil Code section 1798.82, and the notice's description of what was taken — Social Security numbers versus emails — calibrates the response; take any offered credit monitoring, which does not waive claims in most cases. On the offense side, California is unusually strong: the California Consumer Privacy Act gives consumers a private right of action under Civil Code section 1798.150 when nonencrypted, nonredacted personal information is exfiltrated because a business failed to maintain reasonable security procedures. Statutory damages are available per consumer, per incident, without proving out-of-pocket loss, after a 30-day written notice that gives the business a chance to cure. Actual losses from resulting identity theft support additional claims, so keep records of every fraudulent charge and hour spent.
Authority: Cal. Civ. Code § 1798.150
Legal information, not legal advice.
More from this answer file
Counsel for this matter
Read the record. Then decide.
Describe your matter once, review the verified records, and place the call — the choice is always yours.
Find Your Counsel195,000+ attorneys · 58 counties · Official State Bar records