According to reports, a February 2016 breach has caused Weebly, a user-created website service, to be the latest victim in the rising trend of data breaches.  The data breach at Weebly, affecting 43,430,316 customers dating back to 2007, revealed email addresses and/or usernames, IP addresses and encrypted (bcrypt hashed) passwords for a large number of customers.  A data breach notification was sent to all affected customers on 10/20/16 informing them of the breach and advising on potential responses such as changing passwords. Weebly issued a statement:

“We do not store any full credit card numbers on Weebly servers, and at this time we’re not aware that any credit card information that can be used for fraudulent charges was part of this incident. We are taking steps to notify our customers – and we are taking swift action to address the situation. Our security team, with support from outside security consultants, is working to protect our customers and to enhance our network protections. This includes initiating password resets, implementing new password requirements and a new dashboard that gives customers an overview of recent log-in history of their Weebly account to track account activity.”

A Silver Lining to the Weebly Data Breach?

The silver lining of this Weebly data breach, and indeed the takeaway for similarly situated online businesses, is that encryption of sensitive information in the evolving world of data breaches in imperative. Had these passwords not been encrypted an assault on over 40 million websites could have occurred with disastrous results.  What is more, these same passwords could have provided access to countless other accounts and information from users using the same passwords for multiple sites and services.  While email addresses, usernames, and IP addresses can be useful for identity thieves, they constitute only pieces of the puzzle.

Forming a Data Breach Response Plan

Let this Weebly data breach be a lesson. In a world of daily breaches, and a looming negligence claim for those not properly protecting the information of others, encryption is king. Companies to have a clear data breach response plan in place in the event of a data breach. Revision Legal understands the dynamic nature of Cyber Security. Revision Legal has worked with businesses of all sizes to assess data retention risks, and, when necessary, provide counsel on breach notifications in all 50 states. If you have concerns about your exposure or have received notice that a breach has occurred affecting you website, contact the experienced data breach attorneys at Revision Legal as soon as possible. Civil fines are available in some states for a failure to expeditiously notify those affected by breaches, so if a breach has occurred, you need the legal team from Revision Legal in your corner today. Contact us using the form on this page or call us at 855-473-8474.

Photo credit: Weebly.

Understanding Your Legal Rights After a Data Breach

When a company like Weebly suffers a data breach affecting tens of millions of users, affected individuals are not left without recourse. Federal and state law create a patchwork of rights and remedies that data breach victims can pursue, and businesses face real legal exposure when they fail to safeguard customer information.

State Data Breach Notification Statutes

All 50 states now have data breach notification laws. Most require businesses to notify affected residents within a specific timeframe — often 30, 45, or 90 days — after discovering a breach. California’s data breach notification statute (Cal. Civ. Code § 1798.82) is among the most comprehensive, requiring notification without unreasonable delay and providing a private right of action. Michigan’s Identity Theft Protection Act (MCL § 445.72) similarly mandates prompt notification. Failure to comply can trigger civil penalties, regulatory action, and class action exposure.

Negligence and the Duty to Protect Consumer Data

Companies that collect and store consumer data owe a duty of reasonable care to protect that information. When a breach occurs due to inadequate security measures — outdated encryption, failure to patch known vulnerabilities, poor access controls — affected consumers may have a negligence claim. Courts have increasingly recognized cognizable injury from data breaches, including the time and cost of credit monitoring, out-of-pocket losses from fraudulent use, and the diminished value of compromised personal information. In re Equifax Inc. Customer Data Security Breach Litigation, No. 1:17-md-2800-TWT (N.D. Ga. 2020), resulted in a settlement exceeding $575 million, illustrating the real financial exposure companies face.

The FTC Act and Unfair or Deceptive Practices

Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) prohibits unfair or deceptive acts or practices in commerce. The FTC has consistently taken the position that a company’s failure to maintain reasonable data security constitutes an unfair practice. In FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), the Third Circuit affirmed the FTC’s authority to regulate corporate data security practices under Section 5. Companies that represent they maintain adequate security and then suffer a preventable breach can face FTC enforcement action.

What Businesses Must Do After a Breach

• Contain the breach immediately — isolate affected systems, revoke compromised credentials, and preserve evidence.
• Engage a forensics firm — a thorough investigation determines the scope of the breach and supports the legal defense that you acted reasonably.
• Notify affected individuals — comply with each applicable state’s notification timeline and content requirements.
• Notify regulators where required — some states mandate notification to the attorney general, state police, or consumer protection office in addition to affected individuals.
• Review and update your security posture — documenting remediation steps demonstrates good faith and can limit ongoing liability exposure.

Developing a Data Breach Response Plan Before You Need It

The Weebly breach is a case study in why every online business — regardless of size — needs a documented incident response plan. That plan should identify: who within the organization has authority to declare an incident; outside legal counsel and forensics providers who can be retained immediately; the notification obligations specific to your customer base’s states of residence; and insurance coverage under a cyber liability policy. Businesses that have a plan in place typically contain breaches faster, spend less on remediation, and face less regulatory scrutiny than those caught flat-footed.

If your business has experienced a data breach or you want to assess your current data security compliance posture, contact the data breach attorneys at Revision Legal. We counsel businesses on breach response, multi-state notification obligations, and regulatory investigations. Reach us through the contact form on this page or call 855-473-8474.

Cyber Liability Insurance: A Critical Component of Your Risk Management Strategy

Beyond legal counsel and technical security measures, cyber liability insurance has become an essential tool for businesses that store or process personal information. A cyber liability policy typically covers notification costs, credit monitoring for affected individuals, forensic investigation expenses, regulatory defense costs, and civil litigation defense. Some policies also cover business interruption losses caused by a breach. Importantly, the existence of a policy — and the requirement to report incidents to the insurer promptly — often accelerates and improves a business’s breach response, because insurers have established networks of forensic firms and breach counsel who respond quickly and efficiently. Businesses that suffer a breach without cyber liability insurance often find that the uninsured costs of notification, remediation, and litigation exceed what an annual premium would have cost many times over.