this post was submitted on 08 Oct 2024
42 points (97.7% liked)

US Law (local/state/federal)

43 readers
1 users here now

This is the only decentralized venue for chatter about law in the US. Federal law and law of various states and territories is on topic here.

Loosely related:

founded 3 months ago
MODERATORS
 

A company I have no business relationship with sent me a breach notice stating that criminals got my data. This company is a supplier to many banks, brokerages, insurance companies, etc.

Obviously I want to know which of my banks or insurance companies I am doing business with trusted them with my data. I called and asked. They refused to tell me. But they have made it deliberately complicated. The phone number they gave to breach victims is for a 3rd party call center who knows nothing. So the call center says “we don’t have that info”.

Question: do financial/analytics orgs (or whatever the fuck they are) have a legal obligation to provide data breach victims with the SOURCE of the info? Do they have to tell me which of my banks (or whatever) hired them to be a custodian of my data?

What rights to data breach victims have?

(more background: https://links.hackliberty.org/post/2667522)

(update)
Thanks for all the useful feedback folks! I guess the question that remains is whether there are any federal laws that require the disclosure I am after. I looked up the law for my state here and found no law entitling breach victims to be informed of the source of their personal data. It would help to know the law because the AG, CFPB, and FTC will be limited to the law themselves.

top 9 comments
sorted by: hot top controversial new old
[–] Fiivemacs@lemmy.ca 17 points 1 month ago (1 children)

Create alias emails for EVERY company. When they sell and this shit happens, you know who to go after, not like anything will happen anyways.

[–] soloActivist@links.hackliberty.org 14 points 1 month ago* (last edited 1 month ago) (1 children)

I do in fact do that. It’s very useful. But the breach notice came by postal mail.

(edit) In fact, it would have been cheaper for them to send the breach notices by email. I suspect they chose postal mail precisely to conceal from victims who the data source was due to people’s use of email aliases.

[–] SpaceNoodle@lemmy.world 11 points 1 month ago (1 children)

Get an alias home for EVERY company ...

[–] Nollij@sopuli.xyz 3 points 1 month ago (1 children)

This is actually easy enough to do if you own the top level address. E.g. 123 Main St. Just use # or suite unique to the company. It will be up to you to remember that 123 Main St, #874 means it came from your bank.

[–] SpaceNoodle@lemmy.world 4 points 1 month ago (1 children)

Ah yes, the easiest of first steps: own a house.

[–] Nollij@sopuli.xyz 1 points 1 month ago

I've lived in multiple apartments that use the same style. I suspect it's not an option for most vertical housing (apartments/condos on top of each other), but townhouse-style apartments are common once you leave the city centers.

[–] KillerTofu@lemmy.world 13 points 1 month ago

Contact your states attorney general since it is not specific to you. When Hollywood video went under my states AG helped dispute the bullshit late charges that weren’t real that the debt consolidation company fabricated on my account.

[–] ultranaut@lemmy.world 9 points 1 month ago* (last edited 1 month ago)

Possibly a complaint via the CFPB would help if you are in the US: https://www.consumerfinance.gov/complaint/

Contacting your state AG is good advice too.

[–] Anticorp@lemmy.world 5 points 1 month ago

Dude, every company under the sun is selling all of our data to anyone who will buy it. You buy an apple at the grocery store and your insurance company knows about it by the next day. It's fucking preposterous! Our legislators need to be held accountable for egregious dereliction of duty.