June 08, 2015

Who is financially responsible after a data breach?


You hear about the escalating costs of data breaches all the time, but who’s financially responsible for all those costs?


According to Federal Trade Commission information, a consumer’s liability for the unauthorized use of their credit card tops out at $50 while a consumer may be out of pocket for up to $500 or more, for a debit card breach depending on how quickly the problem is reported.

Banks/Card Issuers?

Issuing financial institutions generally have to pay for fraudulent charges made on compromised cards. But banks may sue the retailer/merchant for using inadequate data security systems. At the same time, some banks are being called on for their slow transition to the more breach-resistant chip-and-pin EMV technology.


A federal judge recently – and surprisingly – approved a lawsuit by financial institutions that could put more of the breach cost onto retailers. It had to do with a large retail breach that occurred in 2013. “The retailer played a key role in allowing the harm to occur,” ruled U.S. District Court Judge Paul Magnuson. According to a scmagazine.com story, the court is suggesting that if a retailer has a duty and breaches that duty, it is going to have to pay for the resulting damages. “The balance is definitely shifting on companies to provide reasonable security,” said an industry observer in the story. Interestingly, a recent Data Breach Survey showed that 61% of consumers say retailers are responsible for data breaches; 70% say retailers should be held financially responsible for consumer losses that result from a breach.


After a data breach, a company typically pays for notifying customers, credit monitoring services, and for processing claims for damages. It may also have to hire a crisis response consultant and other experts, and data breach fines may have to be paid. The 2014 Cost of Data Breach Study: United States showed the average cost for each lost or stolen record was $201; the total average cost paid by organizations was $5.9 million.

A threat intelligence expert quoted in the scmagazine story had this to say about financial responsibility: “If an organization or a company has taken reasonable steps in terms of security architecture and best practices and have met that reasonableness standard, there needs to be some hearty discussion as to where those organizations are still liable.”

Here are information security best practices:

  • Create a culture of security in the workplace, with a data protection policy and other measures that are visibly supported from the top down.
  • Appoint a full-time information security manager.
  • Keep only the sensitive information that your organization needs to be compliant and for operations. Otherwise, securely destroy paper and e-media documents.
  • Provide regular employee training.
  • Limit access to sensitive information – to employees who need access to do their jobs.
  • Create accounting processes that safeguard accounts and other information.
  • Implement a Clean Desk policy so confidential information is never out in the open.
  • Report a breach of information immediately.
  • Equip all computers with the best data security protection available. For example – encryption and tokenization technology for EMV solutions.
  • Create a mobile devices policy.

A workplace can reduce the risk of a data breach occurring in the first place - and improve legal compliance - by outsourcing document destruction.