Feeds

How much does a security breach actually cost?

And who pays for it?

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

The final thing you can do if your credit card data has been compromised is to cancel all your credit cards, and get new ones. The cost of this is typically borne by you (in nuisance) and by your credit card issuing bank, and is estimated at from $3.00 to $35.00 for a simple reissuance to a reissuance plus credit fraud plus credit reports. Multiply that time 40 million numbers, and you can see why a lawsuit was filed. In general, the idea behind a civil tort system is to place the costs on the party best able to avoid the risk. In other words - you broke it, you bought it.

So, who bears the risk of loss for a stolen credit card number? Well, under what is called Regulation E, (for debit cards) or the Fair Credit Reporting Act (for credit cards) the cardholder's risk ranges from $50 to $500 (depending on the timeliness of notification) but is typically zero, as the card issuers want to keep their customers happy. If it is merely a credit card number that is compromised, the true risk of loss falls on the merchant that accepts the number over the phone, or the internet or possibly even accepts a cloned physical card. That is why the California bedding company is listed as a member of the class suing card systems.

But here is the irony. It was merchants themselves that decided to use Cardsystems as a processor. The credit card holder and the issuing bank had little control over who accessed the number and the transaction information after the transaction was inititated. The merchant is the one with the "privacy policy" promising consumers that their information will be protected. It was precisely such privacy policies that got companies like Victoria's Secret., Barnes and Noble, Guess Jeans, Petco and others in trouble with the Federal Trade Commission when there were security vulnerabilities or breaches that exposed personal data on these companies websites.

So, if you made a purchase with a company that had a privacy policy - saying something like "your information is safe with us" or "we will protect your personal data" and they then shared it with a processor (or processors) which were vulnerable, you might have a cause of action (a lawsuit) against the merchant themselves.

In law school, the rule of thumb for litigation was essentially this: if it moves, sue it. If it doesn't move: move it and then sue it. So everybody here is potentially at risk. The merchants are both plaintiffs (they have the risk for unauthorized cards being used at the store) and the defendants (they failed to protect the data processed by CardSystems.) The issuing banks (the name on your credit card) and VISA or MasterCard themselves run the risk that customers will be afraid to use credit cards because of fear of ID theft. The processors, these anonymous aggregators of massive amounts or transactional data, run risks to merchants, consumers, VISA and MasterCard, regulators, and issuing banks - particularly if it is found that they failed to comply both with the standards for security set by VISA and MasterCard, and the federal Gramm Leach Bliley Act for safeguarding financial information.

So we can expect an awful lot of finger pointing in the months and years ahead. We can also expect that the members of the class in the California lawsuit, even if the suit is successful, will get a mere pittance - a token amount. The only people who are sure to make out will be the lawyers. Avoiding that eventuality should certainly be a good enough reason to provide better security in the first place.

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Copyright © 2005, SecurityFocus logo

Related stories

The Sun exposes UK ID theft racket at Indian call centre
Unauthorised research opened door to MasterCard breach
MasterCard fingers partner in 40m card security breach
Fraud expert becomes victim of credit card crime
UK ID scheme rides again, as biggest ID fraud of them all
Backup tapes are backdoor for ID thieves

Mobile application security vulnerability report

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.