On May 24, 2022, C.R. England, a national trucking company, reported a data breach to the California Attorney General’s Office. 224,572 individuals were affected by the breach.
According to the company, on October 30, 2021, C.R. England “discovered unauthorized activity on our systems.” After an investigation, the company said the unauthorized activity included access to files stored within its systems.
The sensitive personal information that may have been accessed includes individuals’ full names and Social Security numbers (SSNs).
Given the date on the Notice, it appears the company did not begin to notify affected individuals until almost seven months after the breach was discovered. The full notice provided to the California Attorney General can be viewed here.
C.R. England is offering affected individuals complimentary identity monitoring services through IDX. The deadline for enrollment in IDX services is listed in the Notice as August 23, 2022.
Special California Laws Protect You
California has laws that specifically protect your personal information.
- The California Customer Records Act(CCRA) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information. Companies must also notify affected California consumers quickly and without unreasonable delay.
- The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents, including the implementation and maintenance of reasonable security procedures.
If certain types of personal information, like Social Security numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
As Electronic Personal Data Doesn’t Degrade, One Year Of Identity Theft Services Offered by C.R. England May Not Be Enough
Cyber crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is low (under $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021). Certain critical types of personal information – like Social Security numbers, names, and birth dates – are almost impossible to change.
Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.
Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[1] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[2]
[1] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).
[2] Same
