Do breaches of my information occur?
Yes. While big scandals such as the Target one that just occurred are not overly common, companies regularly lose personal information about consumers. Companies can lose people’s information through carelessness, due to security flaws, hackers, or even from inside jobs by employees. In the last ten years, over 4,000 data breaches have been made public and over three quarters of a billion of records have been compromised. You can find a list of all of the disclosed breaches at https://www.privacyrights.org/data-breach and not all breaches are disclosed. Companies are not required to disclose every breach of consumer information. It is likely that many more breaches have occurred.
Most states have laws that require companies to notify people if information is lost. However, it is limited to very specific types of information. For example, California, one of the more protective states when it comes to information privacy laws, still limits protection to only a few types of information. This includes a person’s first name or first initial and last name combined with a social security number, a driver’s license number, credit card or debit card number along with access information, medical information, or health insurance information. Most states do not protect more than this, and most of the information companies have on you is not protected by these laws. These laws primarily give you notification if companies lose information about you that could lead to identity theft. The state laws are different. You can find a link to your specific state law at http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.
As noted earlier, the protections under these law are generally limited to notification. To continue with the example of California, a company that loses your information must give you the date of the notice, their name and contact information, the type of information lost, the estimated time of breach, if the notification was delayed due to a law enforcement investigation, and the contact information of the major credit reporting agencies. Your rights are limited to notice; companies usually are not required to give you any money for losing your information.
Do I have legal recourse if a company loses my information?
It depends. The notification statutes give you a right to sue if the companies do not notify you and you are harmed due to that lack of notification. However, it is very hard to prove those things occurred. You might be able to start a law suit even if notice has been given. Some victims in the Target breach are trying to sue it for damages. For more information on the lawsuit see http://www.twincities.com/business/ci_24777439/target-data-breach-lawsuits-filed-eye-class-action