June 08, 2015
You hear about the escalating costs of data breaches all the time, but who’s financially responsible for all those costs?
According to Federal Trade Commission information, a consumer’s liability for the unauthorized use of their credit card tops out at $50 while a consumer may be out of pocket for up to $500 or more, for a debit card breach depending on how quickly the problem is reported.
Issuing financial institutions generally have to pay for fraudulent charges made on compromised cards. But banks may sue the retailer/merchant for using inadequate data security systems. At the same time, some banks are being called on for their slow transition to the more breach-resistant chip-and-pin EMV technology.
A federal judge recently – and surprisingly – approved a lawsuit by financial institutions that could put more of the breach cost onto retailers. It had to do with a large retail breach that occurred in 2013. “The retailer played a key role in allowing the harm to occur,” ruled U.S. District Court Judge Paul Magnuson. According to a scmagazine.com story, the court is suggesting that if a retailer has a duty and breaches that duty, it is going to have to pay for the resulting damages. “The balance is definitely shifting on companies to provide reasonable security,” said an industry observer in the story. Interestingly, a recent Data Breach Survey showed that 61% of consumers say retailers are responsible for data breaches; 70% say retailers should be held financially responsible for consumer losses that result from a breach.
After a data breach, a company typically pays for notifying customers, credit monitoring services, and for processing claims for damages. It may also have to hire a crisis response consultant and other experts, and data breach fines may have to be paid. The 2014 Cost of Data Breach Study: United States showed the average cost for each lost or stolen record was $201; the total average cost paid by organizations was $5.9 million.
A threat intelligence expert quoted in the scmagazine story had this to say about financial responsibility: “If an organization or a company has taken reasonable steps in terms of security architecture and best practices and have met that reasonableness standard, there needs to be some hearty discussion as to where those organizations are still liable.”
Here are information security best practices:
A workplace can reduce the risk of a data breach occurring in the first place - and improve legal compliance - by outsourcing document destruction.