How much does a security breach actually cost?

Comment How much does a security breach actually "cost," and who pays for it? When the breach involves personal information, like credit card data, the answer is, a lot more than you may think. The problem is that the people who "pay" for the cost of the breach are rarely the ones responsible for preventing the breach.

A recent lawsuit filed in state court in San Francisco may, to a small extent, change that. The lawsuit was filed as an aftermath of the data breach by credit card processor Cardsystems, Inc., which resulted in the potential compromise of more than 40 million credit card numbers, and seeks to impose liability on Cardsystems for the true costs of failing to protect data.

We all know the familiar pattern of data theft, investigation, and begrudgingly, notification. In many cases, there is a general notification to the public about a data breach, which may or may not be followed by a specific notification to individual consumers that their information in particular was subject to compromise. Just in the past several months we have seen data losses or thefts from an alarming number of institutions: DSW Shoe Warehouse, BJ's Wholesale Club, Loewe's Hardware, Bank of America, Citigroup, Lexis/Nexis, and Atlanta-based Choicepoint. But nobody really knows the true cost of these data breaches - or for that matter, who really pays these costs.

The problem is, those responsible for securing our personal data are rarely the ones who pay the cost of securing it, and in many cases are not the same people with whom we have entrusted out data in the first place.

On June 27, Eric Parke of Marin County, California and Carmichael California bedding retailer "Royal Sleep" sued Cardsystems Solutions, Inc., as well as Merrick Bank, VISA and MasterCard in California State Superior Court as part of a class action lawsuit. Cardsystems had only days before announced that they had been the victim of a security breach involving as many as 40 million individual credit card numbers, but had delayed notification at the request of the FBI.

The FBI of course, announced that they had made no such request to delay notification to customers. Meanwhile, to date there have been no reports of any of the individual consumers whose credit card numbers were processed by Cardsystems having received notification that their credit card numbers were compromised. In fact, there is a dispute over how the fraud scheme itself was discovered - with Cardsystems claiming that they detected the fraud, MasterCard claiming that they detected the pattern of fraudulent charges and tracing it back to Cardsystems, and Australian credit card processors claiming that they detected and reported the fraudulent activity.

Now Eric Parke and Royal Sleep - as well as the class of people the purport to represent - may have suffered no loss at all. In fact, Mr. Parke is nothing more than a person who owns and has used a credit card. To date, there are a relatively modest number of people whose credit card numbers have been used without their authorization as a result of the breach at Cardsystems. But if you watch TV or read the papers, they all have the same advice for people who believe that their credit card numbers may have been compromised. First, review your statements carefully. Then get a copy of your credit report from each of the credit reporting agencies.

Obtaining such credit reports may be free, but then again it may not. A new U.S. federal law entitles some residents to a single free credit report (it is being rolled out nationwide) but even that may not be sufficient - particularly if you obtained your free report before the suspected break in. You are also entitled to a free credit report if you have been denied credit as a result of an application for credit - but what you really want is to know if you have been granted credit. Beware also of the services offered by the credit reporting agencies promising you a free credit report - this may not be the free credit report that you are entitled to under the law. Frequently these free credit reports are only free if you sign up for some other service - like credit watch services - which you are obligated to pay for if you do not cancel within a specified time period. So checking your credit report is not as easy as it appears.

Finally, you can put yourself of a credit fraud watch list or alerting list - meaning that before any credit is extended to you, you will be contacted by an "out of band" communications medium - like a phone. While this will help in the area of identity fraud, most companies will only allow you on the credit fraud watch list if you have been the victim of identity fraud already - and only for a short period of time. Sort of closing the barn door after the horse has been stolen. Moreover, if you are on such a fraud watch list, you might not be able to get your 10% "instant" savings at SEARS for opening a credit card there.