It would be interesting to see how they define "continues to" and "disadvantaged by" here. It sounds like it may be implying that multiple occurrences of issues need to happen and just knowing that your data's been breached, but not yet abused, could be insufficient qualifications for "disadvantaged by".