When your personal data is the subject of a hack attack, what are your rights? The US Supreme Court is considering this very issue in a case before it. On the block is the issue of whether an individual, who may not have suffered any actual harm, may maintain an action for injury based upon the mere threat of future harm. Several circuit courts have rejected standing, calling the threat of future harm too speculative, but other have allowed such claims to proceed. Soon the Supreme Court will weigh in and hopefully provide definition and some parameters in this arena.
In the meantime, what does this mean for your business? If you have a breach, make sure your protocols are in place and are promptly activated for mitigation and response. Isolate the information hacked as much as possible and deploy damage control mechanisms. Create a footprint of your efforts. Make sure the individuals targeted in the attack are aware of your early response and mitigation efforts. Finally, consider offering some form of credit oversight to anticipate any harm beyond that of mere exposure.
In these ways, you may be able to diplomatically resolve issues before they become lawsuits.