This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."

Download it now to read this article plus other related content.

Getting the Point

SB 1386
If any positive changes have taken place in the data brokerage industry, it was not due to ChoicePoint's admission of carelessness, says Litan, but rather California's SB 1386 regulation, which compels data owners to reveal breaches to victims. Any company that does business in California must notify those affected by a data breach. Prior to SB 1386 and the 38 other state data breach notification acts, few companies would be compelled to inform customers of a breach and data loss.

Litan says that while laws ensure the accuracy of personally identifiable information, not enough carry harsh punishments for companies that fail to protect consumers against fraud.

"I'm not saying that regulation is the answer to everything," Litan says, "but it will take a stick approach to get (data brokers) to make changes."

Businesses and U.S. government agencies--which also keep millions of consumer files--are typically guarded about the steps they take to prevent identity theft. Consumer businesses such as Target and eBay, for example, declined to be interviewed for this article. Litan says it can be difficult to convince CISOs that they need to do more to vet their potential clients.

"Data brokers make their money saying 'yes' to their customers," she says.

    Requires Free Membership to View

They may be saying yes to more punitive damages if the torrent of data breaches doesn't subside. In addition to TJX reporting it has spent more than $250 million in cleaning up after its breach, class-action suits have been filed against the retailer, which was hacked out of more than 45 million customer records, including credit card numbers, this year. In September, TJX announced a settlement with those affected, offering credit monitoring to 455,000 of the 45 million whose identities are at risk, the Privacy Rights Clearinghouse reports.

The Ponemon Institute in 2006 estimated data breach cleanup costs to be $182 per lost record in a data breach. TJX, however, hasn't come near that total, leading many to wonder how much damage companies suffer. Brand name damage, as well as harm to the corporate reputation, is almost impossible to quantify, but a July 2007 Information Security article reported that TJX's stock price remained flat throughout the crisis. Others such as Boeing and Bank of America actually saw their stock rise over a period of time following a breach.

Adam Sills, lead underwriter for Darwin Professional Under- writers, says TJX and others may really suffer when third-party costs are passed to the retailer.

"Private liability is the big unknown but it's a critical element," he says. "This is where you can probably end up seeing serious costs."

Mark Baard is a freelance writer for Information Security.
Send comments on this article to feedback@infosecuritymag.com.

This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: