Data Breaches, 0514 SCBJ, SC Lawyer, May 2014, #3

Author:Dave Maxfield and Bill Latham.
 
FREE EXCERPT

Data Breaches

Vol. 25 Issue 6 Pg. 28

South Carolina Bar Journal

May, 2014

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Perspectives from Both Sides of the Wall

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0 Dave Maxfield and Bill Latham.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0THE CONSUMER'S PERSPECTIVE— Dave Maxfield.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0If you are reading this article right now, there's a high probability your personal information has been hacked, lost or stolen in the past five years. How can we know that? Because, you probably are a South Carolina taxpayer. And your tax records (with all of your unencrypted personal identifying information) were hacked in 2012 with that of 3.8 million other taxpayers and 1.9 million of their dependents.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Not just here, but everywhere.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0But even if you're not a South Carolina taxpayer or dependent, you're an American consumer. And while the S.C. Department of Revenue breach was "bad" (more on that below) it hardly qualifies as "big" in the world of data breaches. The total number of records stolen from DOR pales in comparison to the 2009 Heartland Payment Systems breach where an estimated 130 million credit and debit card numbers were stolen by hacker Alberto Gonzalez and his accomplices. Some other recent "big" data breaches affecting well-known organizations include:

• TJX Companies (2007)—45 million customer records hacked

• Target (2013)—40 million credit and debit card records stolen by suspected "skimming" devices at point of sale

• Adobe Systems—38 million customer IDs (and related credit cards) hacked

• U.S. Department of Veterans Affairs (2009)—76 million veterans records compromised when un-wiped, unencrypted hard drives were sent to recycling

• Card Systems (2005)—40 million credit card accounts hacked

• Sony (2011)—77 million Playstation user accounts hacked

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Numerous other well-known companies (e.g., Apple, AOL, Facebook, Linkedln) have had their problems too. But not all data breaches are created equal. The degree to which a breach is harmful corresponds to the type of information compromised, and whether it was unencrypted. On that count, t he South Carolina DOR breach, in which thieves obtained a virtual Identity Theft Starter Kit, was BAD.1 Other states (including Massachusetts, Virginia and California) have had similar, albeit smaller, breaches of very sensitive information. Hospitals and health insurers are not immune either. Despite HIPAA requirements, millions of sensitive patient medical and insurance records have been lost to data breaches.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0So, what IS a data breach exactly?

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Before we go much further, however, lets discuss what we mean by a "data breach." A data breach is any release of secure information to an untrusted environment. Although many breaches occur as the result of intentional illicit conduct (hacking, skimming, inside thefts, stolen computers or media), breaches can occur accidentally as well (accidental publication, lost computers or media). Intentional or not, all data breaches have a few things in common:

1) Data breaches are, at least to some degree, preventable.

2) To the extent not preventable, their effects can be mitigated by the reaction of the company to a breach (e.g., the degree of "BAD" can be reduced).

3) If not prevented or mitigated, data breaches can cause enormous harm.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Prevention, compliance and common sense can go a long way in protecting consumers from the harm of a data breach. But what happens when such steps are lacking (or when they fail entirely)? What recourse does the average consumer have? Before we get into the specifics, though, a threshold question: does a data breach harm the average consumer?

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Breaches quadruple risk of ID theft

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Turns out they do. According to a 2009 study by Javelin Strategy & Research, the risk of identity theft for victims of a data breach does not merely increase, but more than quadruples. While about four per-cent of the general population will become victims of identity theft, approximately 20 percent of data breach victims will have their identity stolen or used in some fashion. If we apply that metric to the (relatively "small" in number) South Carolina DOR data breach, that means 1.14 million South Carolinians could ultimately have their identities stolen.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0When considering the highly sensitive nature of the information compromised in the DOR breach, that number becomes even more sobering. As opposed to the limited harm posed by a single stolen credit card number, a stolen social security number presents a much more significant problem because it allows the thief to open brand new accounts. Or take over existing accounts. Or file tax returns and claim refunds in the consumer's name. Or take over a consumer's identity completely.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0While a consumer would not be legally liable for fraudulently opened accounts, an identity theft situation can create a personal nightmare for consumers that takes years to end. Dealing with law enforcement agencies, trying to convince debt collectors that accounts were opened by fraud, and trying to rebuild a ruined credit history can cause significant stress and take up enormous amounts of the consumer's time. Not to mention resources. Studies by Javelin and Lexis-Nexis estimate that an identity theft costs each individual consumer approximately $350 to $600 in out of pocket expenses. This does not include the much higher losses initially absorbed by victimized businesses ultimately passed on to all consumers in the form of higher prices.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0Credit monitoring not a panacea

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0When a breach occurs, a business (or a government agency's) first obligation after closing the breach is to notify the consumers potentially affected by it. With the bleeding supposedly stemmed, the universal "band aid" offered to consumers is credit monitoring. While helpful in detecting identity theft attempts following the breach, credit monitoring is far from a complete solution for several reasons. First, credit monitoring will only alert the consumer to attempts to open new credit (and possibly changes to existing accounts, such as an address change). What credit monitoring will not do is detect other types of fraud, such as the filing of a false tax return.

\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0\xA0The second weakness of credit monitoring is that it is usually offered for a relatively short time, generally one year. This is inadequate because it fails to consider how information stolen in a data breach is actually used. To begin with, the original thieves in a data breach of any size are unlikely to use the stolen information themselves. Rather, they will...

To continue reading

FREE SIGN UP