Ask the Experts

Data Distress

I actively shop online. Who is responsible if a hacker steals my personal information?


Your question is important to anyone using the internet. Online shopping has become the norm for most of us and it amasses our personal information. Cybercriminals are fully aware of this and actively target e-tailers and their customers. Your data should be safe with them, but many cybercrimes have revealed that is not always true.

According to research, eight out of ten Americans shop online. This is a huge jump from 22 percent back in 2000. Over half of us have purchased something from our mobile phones, and 15 percent have clicked through a link shared on social media. Convenience has fueled this shift in shopping habits. High competition has also driven prices down, so items sold online can often be cheaper than those in retail stores.

When opening an online account, you need to provide personal and financial information. Data breaches are occurring more frequently and even Fortune 500 companies are getting hacked. Vulnerabilities are exploited daily and some enormous leaks of personal information have occurred in recent years.

Yahoo, for example, reported an attack in 2016 that resulted in 32 million accounts compromised, and the company is not alone. In recent years eBay, LinkedIn, Myspace, Tumblr, Facebook, Sony, Adobe and JP Morgan Chase have all suffered cyberattacks and data breaches. So, can they be held accountable for protecting your data?

As with most legal issues, it is a grey area. Federal laws governing cybercrime are often overseen by other agencies with varying levels of authority. The Federal Trade Commission Act strives to hold companies directly responsible for the protection of the consumer information they possess. Organizations can be held liable for failing to secure their systems against cyberattacks. For example, these threats have led the FOREX industry to make a large investment in data protection. In other industries, several fines have been handed out in recent years to companies and FTC penalties for transgressions now stand at around $40,000 per offense.

In addition to the FTC, the Securities and Exchange Commission (SEC) also has authority to enforce action. A million-dollar settlement from Morgan Stanley was made with the SEC in 2016 when the company was found guilty of neglect in securing client information. Data breaches may fall under negligence claims, however this depends on the situation. The consumer needs to prove that the company was negligent with personal information.

As the plaintiff, you would need to prove the company had a duty to protect the data, the duty was breached, you were harmed and the breach was the cause of it. You may avoid any loss by calling your credit card company. Otherwise, consumers can file a negligence claim to recover damages if a company is victim of an attack that results in data being

compromised. Insufficient security procedures and practices need to be substantiated in order to win your case. As we have seen in the past, this will happen no matter the size of the company.

Data collection is a business driven by profits at consumers’ expense… Jackie Speier.

Suzanne Hite is a former publications editor serving the technology services sector.