Your credit card number may have been stolen – data breach

I received a letter that my personal identification or credit card number may have been stolen, what should I do?

Although McCready Law handle personal injury, workers’ compensation and disability cases, we frequently receive calls from clients who have received a letter informing them that their personal information may have been compromised. While we specialize in injury cases, some people contact us inquiring about whether they have a case. This month’s column will answer the common questions of what happens when a company suffers a data breach and your personal or credit card information is stolen.

How data breaches occur

A huge amount of information is stored digitally on computers. Every customer, client or patient has information stored electronically. Companies store every purchase or transaction with a credit or debit card. It is essential that this information is secure. There have been many ways personal or financial information has been compromised. It may be as simple as a stolen laptop or a misplaced thumb drive containing client information. Sometimes someone breaks into the computer system of a company and steals the data. Thieves have even replaced the credit card machines at stores to gain access to credit cards and PIN numbers. The reality of our electronic society is that huge amounts of data can be stolen very quickly.

When a data breach occurs

Companies which experience a data breach may be exposed to much more than just bad publicity. Companies such as Target, Advocate Health and TJ Maxx have had massive data breaches involving tens of millions of people. The law requires that companies who have a data breach must notify the people that their personal information has been compromised. Odds are, you have received some notification from some company in the past. This is not the company doing the responsible thing by notifying you, it is required by federal law.

What you should do if you are notified your information was compromised

If it was your credit or debit card information, you should immediately contact your credit card and request a new credit card. While this may take a few days to get a new one, it is worthwhile to take this precaution. While you would not be liable for any unauthorized charges, it is very time consuming to challenge a fraudulent transaction and the credit card company issues you a new account anyway! Also, your card may be placed on a fraud alert anyway and it may delay your use of your card.
If it is your personal information, you should contact the credit bureaus and have them flag your credit file for potential fraudulent activity. There are three of them. Contact Equifax or (800) 525-6285 , Experian or (888) 397-3742, and Transunion or (800) 680-7289. You should also request a copy of your credit report. You can get one free copy from each of the credit reporting agencies once a year at Finally, if the company offers a free credit monitoring service for a period of time, by all means, take advantage of this offer. It may require you to fill out a brief form, but it is well worthwhile to have the company pay to monitor your credit. Finally, most data breaches do not result in fraudulent activity. But, the potential is there so you must be wary.

If you have fraud, what should you do?

If you do have fraudulent activity as the result of your personal information or credit being stolen, there are several steps you should take. First, rest assured that you will not be liable for fraudulent charges. But, contesting the fraud is a big hassle. If you are the victim of identity theft such as someone opening accounts in your name, there are many more things you should do. The Federal Trade Commission (FTC) has an informative publication, “What to do if your Identity is Stolen” which you should consult.

What you can’t do

I always encourage my clients to call me if they think they have a case. I would rather spend five minutes speaking with a client and explaining they do not have a case than for a client not to know they had a case in the first place. But when it comes to a case against the company who allowed your information to be stolen, unfortunately, there likely is no case. Courts have held that in order to bring a case, you must prove actual damages. The fact that you may be more susceptible to fraud is not enough to be the basis of a lawsuit. If you are the actual victim of fraud and can prove it is the result of the data breach, you would have a case for any damages you sustain. But, unlike an injury case, your damages are limited to the financial harm you suffer. Also, as stated above, credit cards and banks will reverse the charges if there is fraud. In this way, the credit card company or the bank is the victim, not you.

This newsletter is brought to you by the Law Offices of McCready Law on the Third Thursday of every month. To suggest a future topic, a charitable cause or perhaps your favorite lawyer joke or dessert recipe, please e-mail us.

by Michael McCready