The Weighted Scales of Justice
In 2012, BlueCross BlueShield (BCBS) of Tennessee paid $1.5M to cover the 2009 breach of 1 million patients’ data—about $1.50 a person. Counting the $17M spent on analysis and recovery, they still only lost $18.50 a person. According to the US Department of Justice, financial losses for victims of successful identity theft is in the hundreds—sometimes thousands—of dollars. Just indirect losses show a mean of $503, or ~27 times more than BCBS was fined, per person, with up to $4800 in worse scenarios. Even if the fines had been paid directly to the affected individuals, $1.50 is poor balm for what to some might have been a grievous wound.
The following year the search titan, Yahoo, suffered a breach of 3 billion records, but didn’t report it until three years after the fact. When the piper finally came to call, Yahoo lost $85M—around three cents a record for a violation that encompassed more records than there were people on the Internet at the time. Had they been penalized on a per-record basis at the rate BCBS was fined, they’d have a $4.5B headache. Compared to BCBS’s penalties, Yahoo got off feather-light.
Similar displays of apparent leniency in the United States are the standard rather than the norm. The same interests that lobby in Washington have only grudging acknowledgment of the need for protecting personal data. Many decision-makers don’t know where to begin, are daunted by the effort and cost to become secure, or just don’t have it on their radar. But despite criticism that GDPR has largely been a bout of posturing, the steeper fines levied as a result of the recent Marriott and British Airways cases put pressure on the US to tighten its reins where breaches—and their repercussions—herald quantifiable harm to the consumer. Following the money, the rising trend in companies buying cyber insurance policies, and the increasing complexity thereof, is a reasonable indicator that businesses can’t continue to trivialize the value of the personal data provided by customers.
Muddy Waters
It’s all well and good that negligent companies are being fined, but the real loser here is the consumer. One data breach may seem innocuous, but breach perpetrators are not just resting on their laurels and spouting braggadocio at their dark web cronies. Your password is likely in use in more than one place. Your spending habits, requests for directions, and photos all can be used to learn where you go, how often, and for how long. The application of cyber forensics—digging through various data to assemble a snapshot of someone and their behaviors—makes unsettling use of metadata settings that most users can’t be bothered to learn. The International Telecommunication Union predicted that, by 2021, the business of trading stolen data will be more profitable than all global drug trading combined. So what course of action does one have?
As it stands, right now, the probability is low of the punitive actions extending beyond fining culpable companies. Personal data is important; as it should be to companies. But trying to prove in a court of law that your data has monetary value—and that your just desert is monetary restitution—is tougher than it seems. Because of the variety and frequency of breaches, it is easy for corporate defense lawyers to disavow that the data used to infiltrate your accounts was from a specific source. Is stolen data worth the same each time evidence of identity theft appears? It could be argued that it’s just as likely that your data will not merit special attention and will never get used. These factors compound as more breaches flood the cyberverse.
Despite the well-known monetization of personal data—which could in theory be used as a precedent for valuing stolen personal information (PI)—courts find it difficult to put a static value on your personal information. Even if a class action suit—the only recourse for consumers who can demonstrate monetary damages—bears fruit, lawyers take home most of the money and the body of plaintiffs rarely sees any restitution. According to one source, dark web pricing for data depends on what’s being offered. “Fullz,” or a full information set pertaining to a single credit card, sell for up to $21 per, whereas medical records have sold for $350 per; bank account credentials sell for a sliding scale of 5% for accounts with a few thousand dollars to over 10% for high-dollar access. Of all ironies, recent flooding of the market has dramatically lowered prices; even hackers bow to the invisible hand, it seems.
Budging the Behemoth
Businesses’ have suffered reputationally, and a few have even gone bankrupt, from data breaches. But those stories are lesser known or even underrepresented, especially for smaller businesses. Only after millions, if not billions, of dollars’ worth of prevention, fines, and reparation have been reported are businesses and governments beginning to take notice, and after a year of being in effect, GDPR is finally growing teeth. The internet in its pervasion has unified people and businesses under law, of all the unlikely results. The precedent set by GDPR enforcement is a strong reminder that if companies want to do business globally, they must make decisions only after considering them in a global light. Equifax is one of the first rulings for restitution to customers. British Airways has resolved to repay customer losses stemming from their own lapse. Two exceptions, and both arrived upon under duress.
As momentum builds, a turning point is looming. The inclusion of cyber security insurance, increasing fines, and growing public awareness are all indicators that it is not an issue to be ignored anymore. We have only to look back at the growing pains of the Payment Card Industry Data Security Standards (PCI DSS), and the repercussions of the TJX breach, the first heavy fine arising from PCI DSS. It really wasn’t serious until someone paid serious money for ignoring it. So with GDPR, CCPA, et al.
Keeping Your Hands Clean
The old adage about “an ounce of prevention” applies here more than most, and for the same reasons. We wash our hands to minimize the spread of bacteria, but the medical colleagues of the doctor who originated the notion that it would prevent illness and death was reviled by his colleagues. It wasn’t until the 1980s that the US Center for Disease Control (CDC) kicked up a campaign to raise awareness of the preventive benefits of hand washing. Like physicians, corporations don’t want to acknowledge that they might be the cause of an epidemic, especially if it involves accusations of negligence; and they avoid culpability by pointing fingers at miasmic vapors and evil spirits (one might say many companies have washed their hands of responsibility over personal data). We look at the naysayers who once opposed hand washing with a skeptical eye, akin to children who can’t possibly know better, but are so plainly wrong.
One day, hopefully soon, we will all look back on this and laugh at how ridiculous a time in which it was to live, and how silly companies were who wouldn’t take the new, unorthodox-yet-demonstrable practice to heart, because why would anyone want to take the risk when the solution is totally worth it. One day, we might even see individual consumers paid back as a matter of course when their data is exfiltrated. Equifax has offered “free assisted identity restoration services,” but they are one of only a few companies with the wherewithal to offer such a thing. If it’s not a company that already handles identity verification, who will help us rejoin the cyberverse with confidence that was lost with our original identity information?
As with any epidemic, the stakes are higher than ever, and still climbing.