All personally identifiable data is crucial
Data breaches come in all shapes and sizes, but all are serious incidents. When personal information that can affect people’s daily lives is at stake, no breach can be ignored. That said, there are of course some where the subject might appear a bit lighter than others. Take the recent breach that hit Hershey in September. Hackers hit the famous chocolate maker with a phishing scheme which led to unauthorized access to company email accounts. According to Hershey’s report to the Maine Attorney General, over 2,200 people were impacted. Furthermore, the intruders “may have had access to certain personal information.”
This includes names, medical records, contact info, credit cards, driver’s licenses, and other personally identifiable information (PII). Even financial records were compromised for some.
In a similar incident, Oreo cookies manufacturer Mondelez experienced a data breach earlier this year through a third party security failure: a law firm that provided legal services to the company.
These incidents may evoke the irresistible craving for chocolate as surely as personal data lures in cyber criminals, but despite the lighter topic of chocolate, the effects on consumers are no less serious than, say, the previously reported breach against ancestry service 23andMe. Hackers here were able to steal personal details of 6.9 million users by compromising thousands of accounts, after which the company sneakily changed its terms of service to try to retroactively prevent lawsuits. By asserting that customers must explicitly disagree with the new terms within 30 days of notification, or else they’re locked in, the firm hopes to sidestep any legal repercussions.
Unfortunately for them, “opting-out” is no longer a viable stipulation under a number of data security regulations. GDPR has been one recent pioneer in requiring an alternative opt-in method: that is, companies must be the ones to expressly get consumer permission for data processing purposes. The California Consumer Privacy Act (CCPA) also has opt-in requirements elements in itself.
That said, 23andMe might have had better standing in this case if they could prove they provided reasonable notice along with an opt-out option; Chicago-Kent College of Law’s Nancy Kim does not believe that to be the case here, nor that courts would uphold the attempt. As it stands, 23andMe’s mandatory arbitration clause tries to strip consumers’ rights to seek legal restitution in court.
For such a serious incident as one that exposes people’s personal data based on traits like ethnic group or religion, like occurred here, the safety of their personal information, their very identity, is paramount. More organizations will likely discover this as regulations continue to expand consumer rights.