In this episode, John Maher speaks with attorney Michael Forrest of Mazow McCullough about data breaches and how they affect individuals and businesses. Forrest explains the most common types of breaches—such as ransomware attacks and insider theft—and the types of data typically targeted, including personal and protected health information. He discusses how bad actors use stolen data for identity or medical fraud, the legal obligations businesses have after a breach, and potential legal claims for victims, including negligence and consumer protection violations. Michael also offers advice on what steps to take if you receive a data breach notification and how an attorney can help assess your legal options.
John Maher: Hi, I’m John Maher and I’m here today with Michael Forrest of the Law Office of Mazow McCullough. Today we’re talking about data breaches. Welcome, Michael.
Michael Forrest: Hey, how are you Tom? Thanks for having me.
Common Types of Data Breaches
Maher: Good, thanks. Michael, what are some of the most common types of data breaches and what are some examples?
Forrest: Sure. These days what we’re seeing is a lot of ransomware attacks. In a ransomware, what will happen is a bad actor will enter into, say, a company system. It may be there for quite a while and nobody knows that it’s there, but eventually what will happen is they’ll take the data, they’ll copy it, and they’ll let the business know, “Hey, we have your data.”
And in a ransomware instance, they’ll say, “If you don’t pay us a certain amount of money, we’re going to release the data publicly.” You do see a lot of those, especially with larger companies, the ransomwares, because they have obviously, the ability to pay these ransoms. It isn’t uncommon for companies to pay these ransoms, unfortunately.
The other type of breach we see are an internal breach. So, you may have a rogue employee that improperly accesses data, copies data, takes the data for criminal purposes. In the past, we’ve seen rogue employees take credit card numbers, things of that to use for fraud later down the line.
What Types of Data is Stolen and What Are The Risks?
Maher: Speaking of which, what are some of the types of data that are typically stolen in these breaches? And what are the risks?
Forrest: So, you have two different types of data primarily. The first would be your personal information. Personal information is considered things like your name, your date of birth, your social security number, your credit card. Those are personal information items. Oftentimes, again, bad actors will obtain those for the purpose of identity fraud or credit card fraud. We don’t always see the fraud itself happen immediately. Many times what happens is the bad actors will hold onto the information for some time. But with that personal information, you’re often looking at financial or identity fraud.
The other type of information is protected health information. So, that’s your PHI as it’s referred to, and that includes your medical records, medical treatment history, doctor’s note. And oftentimes that information is taken for the idea of medical identity theft. Sometimes you’ll have institutions where breaches are both. The bad actors obtain all the personal information as well as all of the PHI or medical information, and that usually happens at larger hospitals.
What is Medical Fraud?
Maher: What is medical fraud and what would they gain from getting that information?
Forrest: Well, they would try to obtain services through the credentials of the individual. It’s similar to identity fraud, however, you’d be pursuing identity fraud for a particular purpose, and that would be medical care.
Legal Obligations for Businesses After a Data Breach
Maher: Okay. What legal obligations do businesses have after a data breach has happened at their company?
Forrest: Well, I think in Massachusetts everybody has a right to privacy. So, if a business collects any of this personal information, Massachusetts requires they keep it confidential and they keep it private. Again, everybody in Massachusetts has a right to their privacy. So, when the company takes this information from you, sometimes it’s sensitive information. In addition, if it’s health information, there are federal regulations that require safeguards to be put in place to protect that information.
What Legal Claims Arise After a Data Breach?
Maher: And then finally, what legal claims can arise from a data breach? And what are the potential remedies for people who have had their private information stolen?
Forrest: Right. I mean, you could have everything from a negligence claim, because they didn’t fulfill the requirements to do the things they had to do. You could have a breach of contract because they had promised to keep your information private and they didn’t keep it private. You may have a Consumer Protection Act claim.
In Massachusetts, if a business practice is unfair or deceptive, you may have the ability to pursue a claim under that. And then oftentimes what you’ll see people seek is that either monetary damages of credit and identity monitoring for long periods of time. You’ll see that in class action cases, which arise from data breaches, that they try to provide long-term identity theft monitoring.
What Should You Do if Your Information is Stolen?
Maher: If you have had your information stolen, maybe you get a notification from a company, “Oh, sorry, we need to let you know that your information has been taken from us.” What should you do next? What would be the first step?
Forrest: I think the first step when you receive the notice is to make sure to not worry too much. Unfortunately, data breaches are all over these days, and just because you receive a notice doesn’t necessarily mean that fraud’s going to happen to you, or bad actors are going to come after you.
After that, I would consult an attorney. I would talk to an attorney about the scope of the breach, if they’re aware of the scope of the breach, what you can do next, what your remedies are legally against the company. But again, I think that it’s important for people not to over-concern themselves.
It is a concern, don’t get me wrong, but it’s not just because you get the notice letter. Again, the notice letter is often required by either the state of the federal government. So, just because you got that notice letter doesn’t mean that immediately you’ve been the victim of fraud. So it’s important to talk to an attorney to see where you stand.
Maher: All right, that’s great information, Michael. Thanks again for speaking with me today.
Forrest: Thank you so much, John.
Maher: And for more information, you can visit the website of Mazow McCullough at helpinginjured.com or call (978) 744-8000.
