On May 10, 2022, MX Holdings US, Inc. and its subsidiary companies, including CFP Fire Protection, COSCO Fire Protection, and Firetrol Protection Systems reported a data breach to the California Attorney General’s Office.
According to MX Holdings, in late October 2021, MX Holdings “observed suspicious activity within our email system.” After an investigation, MX Holdings said that an unauthorized third party was able to access several of its email accounts. Five months later, around April 5, 2022, the company determined that the compromised email accounts contained personal information.
What information may be at risk?
Depending on the individual, the personal information at risk includes:
- Dates of Birth
- Social Security Numbers
- Driver’s License Numbers
- Passport Numbers
- Financial Account Numbers
- Limited Medical Information
From the sample notices, it would appear that MX Holdings is only offering affected individuals whose Social Security Number is at risk complementary credit monitoring services through Transunion.
Corporations Should Be Held Accountable For Data Breaches
Personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.” The stakes are high: Data breach victims are more likely to also be victims of additional fraud.
“Data breaches, particularly when they involve sensitive information such as Social Security numbers and health records, threaten the privacy, security, and economic wellbeing of consumers.”
Special California Laws Protect You
California has laws that specifically protect your personal information.
- The California Customer Records Act (CCRA) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information. Companies must also notify affected California consumers quickly and without unreasonable delay.
- The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents, including the implementation and maintenance of reasonable security procedures.
If certain types of personal information, like Social Security numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA. Medical information is additionally covered by the California Confidentiality of Medical Information Act.
If you are a California resident and received a Recent Notice of Data Breach from MX Holdings, you may be entitled to between $100 and $1,000 and/or your actual damages, whichever is greater. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Signs that your identity may have been stolen include:
- you see unfamiliar charges on your credit or debit cards
- you have bank account withdrawals that you can’t account for
- you are getting medical bills for services you didn’t get
- you are getting called by debt collectors for debts that aren’t yours
- shops won’t take your personal checks
- you stop getting bills that you usually get in the mail
- you get a notice from that IRS that (1) there is more than one tax return filed in your name or (2) you have income you failed to report and don’t recognize³
- your email address or phone number come up on http://haveibeenpwned.com/ as part of a data breach
 Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).
 Source: R. Bonta, California Attorney General, BULLETIN: Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and Requirements Regarding Health Data Breach Reporting (2021).