Organizations and companies are often embarrassed to have to admit that their security system was inadequate or unable to protect private information from computer robbers. Typically, it is months before they even know the data has been burgled.
According to a 2012 report by Verizon, a data breach costs companies an average of $7 million. What the cost is to consumers or the people whose data was carted off to unknown spaces and places is not very well understood.
“We have some information, but not a lot,” says Fred Cate, professor of law at the University of Indiana’s Mauer School of Law, and also Research Director for the Center for Applied Cybersecurity. “Here’s what I think we know. The vast majority of people suffer no loss at all. A significant number suffer inconvenience and a few people suffer an intensive loss.
“It’s not that those people who suffer intensively lose money, it’s that they have to keep trying to get things fixed,” says Cate. “Their credit report is linked to a wrongdoer’s credit report and they have to keep filing police reports, or calling the credit agency and so on. These people describe months and months of never knowing when it will pop up again. It’s very unpleasant and I would not want it to happen to me.”
Thirty years ago, Congress passed a law limiting credit card liability to $50. Most companies, in the wake of a data breach, wave that and quickly deactivate cards to mitigate losses.
One of the largest and most recent data breaches involves Target and the theft of 40 million credit and debit card records, plus names and addresses of 70 million customers. The latest numbers now put that count at nearly 100 million. Information like this is often sold in large lots on black market Internet sites.
Attorney Thomas Shapiro, from the Boston firm of Shapiro, Haber and Urmy, which specializes in complex litigation, is among the legal firms currently involved in a class-action suit against the retailer. “When it comes to a large data breach like the Target case, even a smaller percentage of people being harmed significantly means thousands of people,” says Shapiro
“I think the law is still a little unsettled and it is true that the courts in some states have been very restrictive in terms of the damages they recognize,” says Shapiro.
There are other costs related to re-issuing driver’s licenses, other government identification, and there is, of course, the time lost. “A big element of the damages involved is related to the inconvenience and effort it takes to replace credit cards and figure out what automatic payments are charged to them every month. Some people have more than one credit card,” argues Shapiro.
There is also a certain fear and trepidation about these kinds of data breaches says Shapiro. Although the courts have so far been slow to see this, he believes that not all states have had an opportunity to deal with these kinds of cases and the law is evolving.