theregister.co.uk
How much does a security breach actually cost?
By Mark Rasch, SecurityFocus
How much does a security breach actually "cost," and who pays for it? When the breach involves personal information, like credit card data, the answer is, a lot more than you may think. The problem is that the people who "pay" for the cost of the breach are rarely the ones responsible for preventing the breach.
A recent lawsuit filed in state court in San Francisco may, to a small extent, change that. The lawsuit was filed as an aftermath of the data breach by credit card processor Cardsystems, Inc., which resulted in the potential compromise of more than 40 million credit card numbers, and seeks to impose liability on Cardsystems for the true costs of failing to protect data.
We all know the familiar pattern of data theft, investigation, and begrudgingly, notification. In many cases, there is a general notification to the public about a data breach, which may or may not be followed by a specific notification to individual consumers that their information in particular was subject to compromise. Just in the past several months we have seen data losses or thefts from an alarming number of institutions: DSW Shoe Warehouse, BJ's Wholesale Club, Loewe's Hardware, Bank of America, Citigroup, Lexis/Nexis, and Atlanta-based Choicepoint. But nobody really knows the true cost of these data breaches - or for that matter, who really pays these costs.
The problem is, those responsible for securing our personal data are rarely the ones who pay the cost of securing it, and in many cases are not the same people with whom we have entrusted out data in the first place.
On June 27, Eric Parke of Marin County, California and Carmichael California bedding retailer "Royal Sleep" sued Cardsystems Solutions, Inc., as well as Merrick Bank, VISA and MasterCard in California State Superior Court as part of a class action lawsuit. Cardsystems had only days before announced that they had been the victim of a security breach involving as many as 40 million individual credit card numbers, but had delayed notification at the request of the FBI.
The FBI of course, announced that they had made no such request to delay notification to customers. Meanwhile, to date there have been no reports of any of the individual consumers whose credit card numbers were processed by Cardsystems having received notification that their credit card numbers were compromised. In fact, there is a dispute over how the fraud scheme itself was discovered - with Cardsystems claiming that they detected the fraud, MasterCard claiming that they detected the pattern of fraudulent charges and tracing it back to Cardsystems, and Australian credit card processors claiming that they detected and reported the fraudulent activity.
Now Eric Parke and Royal Sleep - as well as the class of people the purport to represent - may have suffered no loss at all. In fact, Mr. Parke is nothing more than a person who owns and has used a credit card. To date, there are a relatively modest number of people whose credit card numbers have been used without their authorization as a result of the breach at Cardsystems. But if you watch TV or read the papers, they all have the same advice for people who believe that their credit card numbers may have been compromised. First, review your statements carefully. Then get a copy of your credit report from each of the credit reporting agencies.
Obtaining such credit reports may be free, but then again it may not. A new U.S. federal law entitles some residents to a single free credit report (it is being rolled out nationwide) but even that may not be sufficient - particularly if you obtained your free report before the suspected break in. You are also entitled to a free credit report if you have been denied credit as a result of an application for credit - but what you really want is to know if you have been granted credit. Beware also of the services offered by the credit reporting agencies promising you a free credit report - this may not be the free credit report that you are entitled to under the law. Frequently these free credit reports are only free if you sign up for some other service - like credit watch services - which you are obligated to pay for if you do not cancel within a specified time period. So checking your credit report is not as easy as it appears.
Finally, you can put yourself of a credit fraud watch list or alerting list - meaning that before any credit is extended to you, you will be contacted by an "out of band" communications medium - like a phone. While this will help in the area of identity fraud, most companies will only allow you on the credit fraud watch list if you have been the victim of identity fraud already - and only for a short period of time. Sort of closing the barn door after the horse has been stolen. Moreover, if you are on such a fraud watch list, you might not be able to get your 10% "instant" savings at SEARS for opening a credit card there.
The final thing you can do if your credit card data has been compromised is to cancel all your credit cards, and get new ones. The cost of this is typically borne by you (in nuisance) and by your credit card issuing bank, and is estimated at from $3.00 to $35.00 for a simple reissuance to a reissuance plus credit fraud plus credit reports. Multiply that time 40 million numbers, and you can see why a lawsuit was filed. In general, the idea behind a civil tort system is to place the costs on the party best able to avoid the risk. In other words - you broke it, you bought it.
So, who bears the risk of loss for a stolen credit card number? Well, under what is called Regulation E, (for debit cards) or the Fair Credit Reporting Act (for credit cards) the cardholder's risk ranges from $50 to $500 (depending on the timeliness of notification) but is typically zero, as the card issuers want to keep their customers happy. If it is merely a credit card number that is compromised, the true risk of loss falls on the merchant that accepts the number over the phone, or the internet or possibly even accepts a cloned physical card. That is why the California bedding company is listed as a member of the class suing card systems.
But here is the irony. It was merchants themselves that decided to use Cardsystems as a processor. The credit card holder and the issuing bank had little control over who accessed the number and the transaction information after the transaction was inititated. The merchant is the one with the "privacy policy" promising consumers that their information will be protected. It was precisely such privacy policies that got companies like Victoria's Secret., Barnes and Noble, Guess Jeans, Petco and others in trouble with the Federal Trade Commission when there were security vulnerabilities or breaches that exposed personal data on these companies websites.
So, if you made a purchase with a company that had a privacy policy - saying something like "your information is safe with us" or "we will protect your personal data" and they then shared it with a processor (or processors) which were vulnerable, you might have a cause of action (a lawsuit) against the merchant themselves.
In law school, the rule of thumb for litigation was essentially this: if it moves, sue it. If it doesn't move: move it and then sue it. So everybody here is potentially at risk. The merchants are both plaintiffs (they have the risk for unauthorized cards being used at the store) and the defendants (they failed to protect the data processed by CardSystems.) The issuing banks (the name on your credit card) and VISA or MasterCard themselves run the risk that customers will be afraid to use credit cards because of fear of ID theft. The processors, these anonymous aggregators of massive amounts or transactional data, run risks to merchants, consumers, VISA and MasterCard, regulators, and issuing banks - particularly if it is found that they failed to comply both with the standards for security set by VISA and MasterCard, and the federal Gramm Leach Bliley Act for safeguarding financial information.
So we can expect an awful lot of finger pointing in the months and years ahead. We can also expect that the members of the class in the California lawsuit, even if the suit is successful, will get a mere pittance - a token amount. The only people who are sure to make out will be the lawyers. Avoiding that eventuality should certainly be a good enough reason to provide better security in the first place.
SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.