FLORIDA – Following a ransomware attack at Beaches Energy in Jacksonville Beach, the News4JAX I-TEAM looked into consumers’ rights when personal data is stolen from a trusted entity and what state law requires companies to do after a breach.
RELATED: Leader of ransomware group that attacked Jacksonville Beach threatens more cybercrimes
The credit agency Equifax agreed to pay $575 million to the FTC and its customers in 2019 after a cyber security breach, making it one of the biggest data breach fines levied against an American Company.
Investigators said the company failed to fix a critical vulnerability leading to 150 million customers’ data being compromised. The FTC also found that Equifax failed to inform the public of the breach until weeks after the attack.
April Jones, who is concerned about hacks, said companies should be held accountable.
“It’s so easy nowadays, companies should do better with their security,” Jones said.
The ransomware attack on Jacksonville Beach residents is on a smaller scale compared to the attack on Equifax customers, but Shannon Schott, a lawyer said citizens can take legal action against a city or municipality, but there are limits.
“Whenever you want to sue a government entity, it’s extremely complicated because they have what’s called the right to sovereign immunity,” Schott said. “You must meet conditions where you have to file certain notices and comply with different laws and municipal ordinances in order to have the right to sue. And when you establish that right, you might only have up to $200,000 of coverage available because of the statutory caps on recovery for sovereign entities.”
Schott said under the Florida Information Protect Act, both public and private businesses have to notify their customers within 30 days of the data breach. She said hacked companies are also required to tell the affected client the size and breadth of the breach, and the personal information that was stolen or face a fine.
Schott said for entities like AT&T, which reported a cyber security breach of more than 75 million customers recently, individuals can pursue legal action, but they must be able to prove the detrimental effects they are experiencing.
She added that it becomes more complicated to seek financial relief in class action lawsuits where hundreds of people pursue legal action at the same time. She also said that accepting free credit monitoring services from a company can also water down a victim’s legal case.
“When an entity sends you that notification letter, there may be an offer to resolve any claims or causes of action that you might have as someone who’s the victim of this breach,” Schott said. “Anytime you receive an offer to resolve a case, it’s always prudent to have an attorney review that, especially if you had some serious damages related to the breach, because you might be giving up some rights related to your cause of action against the entity that resulted in the data breach.”
Schott said holding a social media company like Meta or another that requires users to sign a contract is a completely different legal animal. Experts said that protections for the company are often hidden in the fine print of the consumer agreement. She said more needs to be done to protect consumers on a federal level.
“Our legislators have really left us to our own devices when it comes to protecting our data so there is a lot of personal responsibility. And you and being mindful of what the worst-case scenario could be,” Schott said.
Lawyers said it’s important that consumers read the fine print of the contracts they sign where they have to share personal information. Shareholders and business owners can also seek a financial settlement if their company’s information is compromised, but you must be able to prove financial loss or reputational damage.