Feeds

How much does a security breach actually cost?

And who pays for it?

  • alert
  • submit to reddit

Reducing security risks from open source software

The final thing you can do if your credit card data has been compromised is to cancel all your credit cards, and get new ones. The cost of this is typically borne by you (in nuisance) and by your credit card issuing bank, and is estimated at from $3.00 to $35.00 for a simple reissuance to a reissuance plus credit fraud plus credit reports. Multiply that time 40 million numbers, and you can see why a lawsuit was filed. In general, the idea behind a civil tort system is to place the costs on the party best able to avoid the risk. In other words - you broke it, you bought it.

So, who bears the risk of loss for a stolen credit card number? Well, under what is called Regulation E, (for debit cards) or the Fair Credit Reporting Act (for credit cards) the cardholder's risk ranges from $50 to $500 (depending on the timeliness of notification) but is typically zero, as the card issuers want to keep their customers happy. If it is merely a credit card number that is compromised, the true risk of loss falls on the merchant that accepts the number over the phone, or the internet or possibly even accepts a cloned physical card. That is why the California bedding company is listed as a member of the class suing card systems.

But here is the irony. It was merchants themselves that decided to use Cardsystems as a processor. The credit card holder and the issuing bank had little control over who accessed the number and the transaction information after the transaction was inititated. The merchant is the one with the "privacy policy" promising consumers that their information will be protected. It was precisely such privacy policies that got companies like Victoria's Secret., Barnes and Noble, Guess Jeans, Petco and others in trouble with the Federal Trade Commission when there were security vulnerabilities or breaches that exposed personal data on these companies websites.

So, if you made a purchase with a company that had a privacy policy - saying something like "your information is safe with us" or "we will protect your personal data" and they then shared it with a processor (or processors) which were vulnerable, you might have a cause of action (a lawsuit) against the merchant themselves.

In law school, the rule of thumb for litigation was essentially this: if it moves, sue it. If it doesn't move: move it and then sue it. So everybody here is potentially at risk. The merchants are both plaintiffs (they have the risk for unauthorized cards being used at the store) and the defendants (they failed to protect the data processed by CardSystems.) The issuing banks (the name on your credit card) and VISA or MasterCard themselves run the risk that customers will be afraid to use credit cards because of fear of ID theft. The processors, these anonymous aggregators of massive amounts or transactional data, run risks to merchants, consumers, VISA and MasterCard, regulators, and issuing banks - particularly if it is found that they failed to comply both with the standards for security set by VISA and MasterCard, and the federal Gramm Leach Bliley Act for safeguarding financial information.

So we can expect an awful lot of finger pointing in the months and years ahead. We can also expect that the members of the class in the California lawsuit, even if the suit is successful, will get a mere pittance - a token amount. The only people who are sure to make out will be the lawyers. Avoiding that eventuality should certainly be a good enough reason to provide better security in the first place.

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Copyright © 2005, SecurityFocus logo

Related stories

The Sun exposes UK ID theft racket at Indian call centre
Unauthorised research opened door to MasterCard breach
MasterCard fingers partner in 40m card security breach
Fraud expert becomes victim of credit card crime
UK ID scheme rides again, as biggest ID fraud of them all
Backup tapes are backdoor for ID thieves

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.