Ask HN: What do you do is you suspect a company has had a data breach?

4 points by imzadi ↗ HN
I use a catchall email address and create a new email address whenever I need to create a new account on a website. I have recently begun receiving a phishing emails to an email address that is only associated with one account. It's a company I used to purchase items from a few years ago. I haven't purchased anything from them for about 3 years. Since this is a unique email, it had to have been associated with a data breach or a violation of the their privacy policy. I have looked on their website and done some searches, and I don't see any mention of them having a disclosed data breach. Is there something I should be doing?

2 comments

[ 6.5 ms ] story [ 32.3 ms ] thread
This of course depends on the jurisdiction.

Report the suspected breach to the company or organisation. Copy that to your local consumer protection government agency, usually your state attorney general's office in the US. State AGs are also generally responsible for data breach notifications where state laws require this (e.g., California).

The US FTC has a data breach resource guide with specific directions for businesses and individuals: <https://www.ftc.gov/data-breach-resources>. The consumer guide is here: <https://www.bulkorder.ftc.gov/system/files/publications/pdf-...> (PDF, 4 pages). It's ... not especially useful, mostly a guide to what information you should seek to protect.

You can report data breaches (and other cibercrime) to the FBI's tip line: <https://tips.fbi.gov/>

I'm not finding any particularly outstanding advice or guidance under "responsible disclosure" or similar terms, or from public online privacy organisations such as the EFF.

I'd suggest notifying any entity you suspect of a data breach that you'll be making the information public. Not as a threat or consequence of lack of response, which could be interpreted as blackmail, but simply as part of your standard procedure.

If you have a household or business attorney, you might also contact them for guidance. If you don't, you can generally get recommendations and a free consult through your local bar association.

In many jurisdictions, companies are legally required to disclose data breaches to the government, affected individuals, and sometimes the public. The specific requirements vary depending on the region, industry, and the nature of the data involved. Here are some key points:

United States: There are federal and state laws that govern data breach notifications. For example:

The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to report breaches of protected health information. The Gramm-Leach-Bliley Act (GLBA) mandates financial institutions to notify customers of data breaches. Many states have their own data breach notification laws that require companies to inform affected individuals and, in some cases, state authorities. European Union: The General Data Protection Regulation (GDPR) mandates that organizations must report certain types of data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Other Jurisdictions: Various countries have enacted data protection laws with similar requirements. For example, Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA), and Australia has the Notifiable Data Breaches (NDB) scheme under the Privacy Act.