Feeds

How much does a security breach actually cost?

And who pays for it?

  • alert
  • submit to reddit

Build a business case: developing custom apps

Comment How much does a security breach actually "cost," and who pays for it? When the breach involves personal information, like credit card data, the answer is, a lot more than you may think. The problem is that the people who "pay" for the cost of the breach are rarely the ones responsible for preventing the breach.

A recent lawsuit filed in state court in San Francisco may, to a small extent, change that. The lawsuit was filed as an aftermath of the data breach by credit card processor Cardsystems, Inc., which resulted in the potential compromise of more than 40 million credit card numbers, and seeks to impose liability on Cardsystems for the true costs of failing to protect data.

We all know the familiar pattern of data theft, investigation, and begrudgingly, notification. In many cases, there is a general notification to the public about a data breach, which may or may not be followed by a specific notification to individual consumers that their information in particular was subject to compromise. Just in the past several months we have seen data losses or thefts from an alarming number of institutions: DSW Shoe Warehouse, BJ's Wholesale Club, Loewe's Hardware, Bank of America, Citigroup, Lexis/Nexis, and Atlanta-based Choicepoint. But nobody really knows the true cost of these data breaches - or for that matter, who really pays these costs.

The problem is, those responsible for securing our personal data are rarely the ones who pay the cost of securing it, and in many cases are not the same people with whom we have entrusted out data in the first place.

On June 27, Eric Parke of Marin County, California and Carmichael California bedding retailer "Royal Sleep" sued Cardsystems Solutions, Inc., as well as Merrick Bank, VISA and MasterCard in California State Superior Court as part of a class action lawsuit. Cardsystems had only days before announced that they had been the victim of a security breach involving as many as 40 million individual credit card numbers, but had delayed notification at the request of the FBI.

The FBI of course, announced that they had made no such request to delay notification to customers. Meanwhile, to date there have been no reports of any of the individual consumers whose credit card numbers were processed by Cardsystems having received notification that their credit card numbers were compromised. In fact, there is a dispute over how the fraud scheme itself was discovered - with Cardsystems claiming that they detected the fraud, MasterCard claiming that they detected the pattern of fraudulent charges and tracing it back to Cardsystems, and Australian credit card processors claiming that they detected and reported the fraudulent activity.

Now Eric Parke and Royal Sleep - as well as the class of people the purport to represent - may have suffered no loss at all. In fact, Mr. Parke is nothing more than a person who owns and has used a credit card. To date, there are a relatively modest number of people whose credit card numbers have been used without their authorization as a result of the breach at Cardsystems. But if you watch TV or read the papers, they all have the same advice for people who believe that their credit card numbers may have been compromised. First, review your statements carefully. Then get a copy of your credit report from each of the credit reporting agencies.

Obtaining such credit reports may be free, but then again it may not. A new U.S. federal law entitles some residents to a single free credit report (it is being rolled out nationwide) but even that may not be sufficient - particularly if you obtained your free report before the suspected break in. You are also entitled to a free credit report if you have been denied credit as a result of an application for credit - but what you really want is to know if you have been granted credit. Beware also of the services offered by the credit reporting agencies promising you a free credit report - this may not be the free credit report that you are entitled to under the law. Frequently these free credit reports are only free if you sign up for some other service - like credit watch services - which you are obligated to pay for if you do not cancel within a specified time period. So checking your credit report is not as easy as it appears.

Finally, you can put yourself of a credit fraud watch list or alerting list - meaning that before any credit is extended to you, you will be contacted by an "out of band" communications medium - like a phone. While this will help in the area of identity fraud, most companies will only allow you on the credit fraud watch list if you have been the victim of identity fraud already - and only for a short period of time. Sort of closing the barn door after the horse has been stolen. Moreover, if you are on such a fraud watch list, you might not be able to get your 10% "instant" savings at SEARS for opening a credit card there.

Endpoint data privacy in the cloud is easier than you think

Next page: Related stories

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?