Oklahoma resident Ronald Allen was one of dozens of people who say their lives became more difficult in 2022 after customer data like names, email addresses, and birth dates was stolen from Samsung, the Korean electronics company.
After Allen was notified of the breach, he says, someone attempted to open an account in his name. A bank informed him his credit-card information had been found on the Dark Web, a part of the Internet where criminals often sell and buy personal information. Allen says he’s since spent many hours on the phone cancelling accounts, disputing charges, and changing his passwords. He says he spends a chunk of time every week checking his financial accounts for unauthorized activity, according to a multidistrict legal complaint filed against Samsung.
The complaint alleged that a string of data breaches were indicative of lax security practices. But the effort to hold Samsung accountable has been unsuccessful. The customers did not prove that they had suffered specifically because of the data breach, District Judge Christine O’Hearn of New Jersey wrote in an opinion on Jan. 3. People’s information is stolen all the time, O’Hearn reasoned, and there’s no way to know that Allen or others had their identity compromised because of the data breach.
Read More: How Doctors Are Pushing Medical Credit Cards On Patients.
Samsung argued in legal filings that because information like Social Security numbers and credit card numbers were not stolen in the breach, and because it’s impossible to know whether the data breach information was used for malicious purposes, the plaintiffs didn’t have a case. “A court must dismiss a data breach class action where the Plaintiffs fail to ‘adequately allege’ damages ‘stemming from a data breach,’” lawyers for the company wrote in a motion to dismiss.
Incidents like the Samsung data breach have become common as people and companies store more information online. There were 3,158 data breaches in 2024, up 70% from 2021, which resulted in nearly 1.7 billion notices going out to potentially affected individuals, according to a report released January 28 by the Identity Theft Resource Center (ITRC).
There were six megabreaches in 2024, in which at least 100 million victims were affected, according to ITRC. Four of those breaches could have been prevented if the organizations used multi-factor authentication, a security method that requires users to provide more than one form of authentication to access an account, according to ITRC. One of the companies involved in a megabreach, Change Healthcare, a subsidiary of United Health, admitted as much in a May 2024 congressional hearing.
Each data breach makes additional ones more likely. When hackers steal personal information, they can use that information to get into other companies’ systems and launch more data breaches. That’s one likely reason the number of data breaches has spiked. But many of the companies compromised get off with a slap on the wrist—if that.
Though public companies and others regulated by the federal government face stricter financial penalties for data breaches, only about 7% of all breaches come from publicly-traded companies, according to ITRC. There’s no national law covering what other organizations should do if they have been compromised. “We don’t have an actual privacy law, or any uniform, minimum standards,” says James Lee, the president of ITRC.
Read More: The Age of Scams.
When a company learns that its customers’ data has been compromised, it may not even have to inform them of the problem. State laws determine what a company needs to do when its information has been accessed by an unauthorized party. And in most states, Lee says, the compromised company can decide whether there is the risk of harm to individuals. If it determines there’s no risk, they don’t have to send out notices. Even if they do, in many states the company determines what those notices say. It can decline to inform customers how the information was compromised or which personal information was stolen.
Of course, sending out a notice to customers doesn’t help them much. They can freeze their credit or closely monitor their accounts, but they won’t get compensated for their time or refunded money because their information was compromised. For that, they’d have to sue, or have someone do it on their behalf. But it’s extremely difficult to successfully sue a company for financial relief after a data breach, Lee says. As Ronald Allen learned, plaintiffs have to prove they have been harmed by the incursion. With so many different attacks, it’s almost impossible to know which one caused a customer’s problems.
As a result, few companies can be held financially accountable for data breaches. Florida has even passed a law that says companies can’t be sued at all for data breaches if they demonstrate they have implemented certain security procedures.
Yet security experts say there are some easy things companies can do to protect information—and that many aren’t doing them. These steps include using multi-factor authentication, making sure that employees are changing their passwords frequently, and ensuring that vendors and other companies they work with have appropriate measures in place.
“It’s a little bit of a cycle where prior breaches feed into future breaches,” says Aaron Cookstra, a director with the threat intel team at Aon Cyber Solutions. “But we don’t see companies necessarily taking the measures that they need to avoid that potentially becoming an issue down the line for them.”
Lee of the ITRC is holding out for a national privacy law that would set minimum standards for what cybersecurity safeguards companies need to have in place and what they have to do when their data has been compromised. It is hard to establish those standards because hackers keep getting smarter, and companies need to constantly change their security procedures to keep information safe. But even saying that companies have to do something to protect customers’ information, Lee says, would be a big step in the right direction.
