Data Breach Rights: What to Do When Your Information Is Compromised

Updated December 202511 min read

Legal Disclaimer: This article provides general information for educational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change frequently. For advice specific to your situation, consult a licensed attorney in your area.

When a company loses your personal data in a breach, you face risks of identity theft, fraud, and ongoing privacy violations. Understanding your rights helps you take protective action and hold negligent companies accountable. For guidance on what to do after a data breach, visit the Federal Trade Commission's data breach resources.

Breach Notification Laws: All 50 states require companies to notify you of data breaches. The notice must include what was exposed, what the company is doing, and steps you should take.

Understanding Data Breaches

What Gets Exposed

  • Social Security numbers
  • Financial account information
  • Credit card numbers
  • Medical records
  • Login credentials
  • Driver's license numbers

How Breaches Happen

  • Hacking attacks
  • Employee negligence
  • Lost or stolen devices
  • Vendor/third-party exposure
  • Insider theft
  • Misconfigured systems

Potential Harm

  • Identity theft
  • Financial fraud
  • Tax fraud
  • Medical identity theft
  • Account takeovers
  • Ongoing risk of exposure

Act Quickly: The first 90 days after a breach are critical. Criminals often use stolen data quickly before protections are in place. Take immediate action even if you don't see fraud yet.

Immediate Protective Steps

Credit Monitoring and Freezes

  • Place fraud alert (free, 1 year)
  • Consider credit freeze (stronger protection)
  • Enroll in offered free monitoring
  • Check credit reports immediately

Financial Account Protection

  • Change passwords (especially if reused)
  • Enable two-factor authentication
  • Set up transaction alerts
  • Review recent transactions
  • Consider new card numbers

Tax Protection

  • File taxes early
  • Request IRS Identity Protection PIN
  • Watch for unexpected tax documents

Documentation

  • Save breach notification
  • Note what data was exposed
  • Document any fraud that occurs
  • Keep records of time spent

Company Obligations

Breach Notification Requirements

  • Must notify within set timeframe (varies by state)
  • Must describe data compromised
  • Must provide contact information
  • Must suggest protective steps

Free Services Often Offered

  • Credit monitoring (1-2 years typical)
  • Identity theft protection
  • Identity restoration services
  • Credit report access

What Companies Should Do

  • Secure systems to prevent further breach
  • Investigate what was accessed
  • Cooperate with law enforcement
  • Help affected customers

Accept Free Services: Even if you're angry at the company, accept offered free credit monitoring. It's useful protection and accepting doesn't waive your right to sue.

Your Legal Rights

State Breach Laws

  • Right to timely notification
  • Right to know what was exposed
  • Some states allow private lawsuits
  • State AG can take enforcement action

Privacy Regulations

  • CCPA (California): Right to sue for breaches
  • HIPAA (Health): Protections for medical data
  • GLBA (Financial): Financial data protections

Common Law Claims

  • Negligence (failed to protect data)
  • Breach of contract
  • Breach of implied contract
  • Unjust enrichment

Class Action Lawsuits

Major Breach Settlements

  • Often provide cash payments
  • Credit monitoring services
  • Reimbursement for fraud losses
  • Coverage for time spent on recovery

Joining a Class Action

  • Usually automatic inclusion
  • Must file claim to receive payment
  • Watch for notice in mail/email
  • Check class action databases

Opting Out

  • May opt out and sue individually
  • Makes sense for significant damages
  • Need your own attorney
  • Deadline to opt out is strict

Claim Deadlines: Class action settlements have strict deadlines to file claims. Mark your calendar when you receive notice - missing deadlines means no compensation.

If Fraud Occurs

Immediate Actions

  • Report to affected financial institutions
  • File police report
  • Report to FTC at IdentityTheft.gov
  • Document all fraudulent activity

Claiming Damages

  • Keep records of all losses
  • Document time spent on recovery
  • Save receipts for protective services
  • Note emotional distress

Connecting Fraud to Breach

  • Timeline proximity matters
  • Type of data exposed vs. fraud type
  • No other known exposure
  • Helps establish causation

Filing Complaints

Regulatory Complaints

  • State AG: Consumer protection division
  • FTC: For pattern of negligence
  • HHS OCR: For HIPAA breaches
  • State banking regulators: For financial institutions

What to Include

  • Copy of breach notification
  • Description of harm suffered
  • Company's response
  • Any fraud that occurred

Long-Term Protection

Ongoing Monitoring

  • Continue credit monitoring after free period
  • Check credit reports annually
  • Review financial statements monthly
  • Watch for signs of identity theft

Permanent Protections

  • IRS Identity Protection PIN (renew annually)
  • Credit freezes (keep in place)
  • Strong unique passwords
  • Two-factor authentication everywhere

If Affected Data Is Permanent

  • SSN - lifelong monitoring needed
  • Medical records - watch for medical ID theft
  • Biometric data - can't be changed

Related Guides

About FreeDemandLetter

FreeDemandLetter is a free consumer advocacy platform that helps people recover money owed to them. Our AI-powered tool generates professional demand letters with location-specific legal citations across 270+ jurisdictions in 14 countries.

Learn more about our mission | FAQ

Assert Your Data Breach Rights

Generate a demand letter for data breach compensation and protection.

Create Your Letter