Feeds

How much does a security breach actually cost?

And who pays for it?

  • alert
  • submit to reddit

SANS - Survey on application security programs

The final thing you can do if your credit card data has been compromised is to cancel all your credit cards, and get new ones. The cost of this is typically borne by you (in nuisance) and by your credit card issuing bank, and is estimated at from $3.00 to $35.00 for a simple reissuance to a reissuance plus credit fraud plus credit reports. Multiply that time 40 million numbers, and you can see why a lawsuit was filed. In general, the idea behind a civil tort system is to place the costs on the party best able to avoid the risk. In other words - you broke it, you bought it.

So, who bears the risk of loss for a stolen credit card number? Well, under what is called Regulation E, (for debit cards) or the Fair Credit Reporting Act (for credit cards) the cardholder's risk ranges from $50 to $500 (depending on the timeliness of notification) but is typically zero, as the card issuers want to keep their customers happy. If it is merely a credit card number that is compromised, the true risk of loss falls on the merchant that accepts the number over the phone, or the internet or possibly even accepts a cloned physical card. That is why the California bedding company is listed as a member of the class suing card systems.

But here is the irony. It was merchants themselves that decided to use Cardsystems as a processor. The credit card holder and the issuing bank had little control over who accessed the number and the transaction information after the transaction was inititated. The merchant is the one with the "privacy policy" promising consumers that their information will be protected. It was precisely such privacy policies that got companies like Victoria's Secret., Barnes and Noble, Guess Jeans, Petco and others in trouble with the Federal Trade Commission when there were security vulnerabilities or breaches that exposed personal data on these companies websites.

So, if you made a purchase with a company that had a privacy policy - saying something like "your information is safe with us" or "we will protect your personal data" and they then shared it with a processor (or processors) which were vulnerable, you might have a cause of action (a lawsuit) against the merchant themselves.

In law school, the rule of thumb for litigation was essentially this: if it moves, sue it. If it doesn't move: move it and then sue it. So everybody here is potentially at risk. The merchants are both plaintiffs (they have the risk for unauthorized cards being used at the store) and the defendants (they failed to protect the data processed by CardSystems.) The issuing banks (the name on your credit card) and VISA or MasterCard themselves run the risk that customers will be afraid to use credit cards because of fear of ID theft. The processors, these anonymous aggregators of massive amounts or transactional data, run risks to merchants, consumers, VISA and MasterCard, regulators, and issuing banks - particularly if it is found that they failed to comply both with the standards for security set by VISA and MasterCard, and the federal Gramm Leach Bliley Act for safeguarding financial information.

So we can expect an awful lot of finger pointing in the months and years ahead. We can also expect that the members of the class in the California lawsuit, even if the suit is successful, will get a mere pittance - a token amount. The only people who are sure to make out will be the lawyers. Avoiding that eventuality should certainly be a good enough reason to provide better security in the first place.

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Copyright © 2005, SecurityFocus logo

Related stories

The Sun exposes UK ID theft racket at Indian call centre
Unauthorised research opened door to MasterCard breach
MasterCard fingers partner in 40m card security breach
Fraud expert becomes victim of credit card crime
UK ID scheme rides again, as biggest ID fraud of them all
Backup tapes are backdoor for ID thieves

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.