Feeds

How much does a security breach actually cost?

And who pays for it?

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

The final thing you can do if your credit card data has been compromised is to cancel all your credit cards, and get new ones. The cost of this is typically borne by you (in nuisance) and by your credit card issuing bank, and is estimated at from $3.00 to $35.00 for a simple reissuance to a reissuance plus credit fraud plus credit reports. Multiply that time 40 million numbers, and you can see why a lawsuit was filed. In general, the idea behind a civil tort system is to place the costs on the party best able to avoid the risk. In other words - you broke it, you bought it.

So, who bears the risk of loss for a stolen credit card number? Well, under what is called Regulation E, (for debit cards) or the Fair Credit Reporting Act (for credit cards) the cardholder's risk ranges from $50 to $500 (depending on the timeliness of notification) but is typically zero, as the card issuers want to keep their customers happy. If it is merely a credit card number that is compromised, the true risk of loss falls on the merchant that accepts the number over the phone, or the internet or possibly even accepts a cloned physical card. That is why the California bedding company is listed as a member of the class suing card systems.

But here is the irony. It was merchants themselves that decided to use Cardsystems as a processor. The credit card holder and the issuing bank had little control over who accessed the number and the transaction information after the transaction was inititated. The merchant is the one with the "privacy policy" promising consumers that their information will be protected. It was precisely such privacy policies that got companies like Victoria's Secret., Barnes and Noble, Guess Jeans, Petco and others in trouble with the Federal Trade Commission when there were security vulnerabilities or breaches that exposed personal data on these companies websites.

So, if you made a purchase with a company that had a privacy policy - saying something like "your information is safe with us" or "we will protect your personal data" and they then shared it with a processor (or processors) which were vulnerable, you might have a cause of action (a lawsuit) against the merchant themselves.

In law school, the rule of thumb for litigation was essentially this: if it moves, sue it. If it doesn't move: move it and then sue it. So everybody here is potentially at risk. The merchants are both plaintiffs (they have the risk for unauthorized cards being used at the store) and the defendants (they failed to protect the data processed by CardSystems.) The issuing banks (the name on your credit card) and VISA or MasterCard themselves run the risk that customers will be afraid to use credit cards because of fear of ID theft. The processors, these anonymous aggregators of massive amounts or transactional data, run risks to merchants, consumers, VISA and MasterCard, regulators, and issuing banks - particularly if it is found that they failed to comply both with the standards for security set by VISA and MasterCard, and the federal Gramm Leach Bliley Act for safeguarding financial information.

So we can expect an awful lot of finger pointing in the months and years ahead. We can also expect that the members of the class in the California lawsuit, even if the suit is successful, will get a mere pittance - a token amount. The only people who are sure to make out will be the lawyers. Avoiding that eventuality should certainly be a good enough reason to provide better security in the first place.

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Copyright © 2005, SecurityFocus logo

Related stories

The Sun exposes UK ID theft racket at Indian call centre
Unauthorised research opened door to MasterCard breach
MasterCard fingers partner in 40m card security breach
Fraud expert becomes victim of credit card crime
UK ID scheme rides again, as biggest ID fraud of them all
Backup tapes are backdoor for ID thieves

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.