This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
Getting the Point
If any positive changes have taken place in the data brokerage industry, it was not due to ChoicePoint's admission of carelessness, says Litan, but rather California's SB 1386 regulation, which compels data owners to reveal breaches to victims. Any company that does business in California must notify those affected by a data breach. Prior to SB 1386 and the 38 other state data breach notification acts, few companies would be compelled to inform customers of a breach and data loss.
Litan says that while laws ensure the accuracy of personally identifiable information, not enough carry harsh punishments for companies that fail to protect consumers against fraud.
"I'm not saying that regulation is the answer to everything," Litan says, "but it will take a stick approach to get (data brokers) to make changes."
Businesses and U.S. government agencies--which also keep millions of consumer files--are typically guarded about the steps they take to prevent identity theft. Consumer businesses such as Target and eBay, for example, declined to be interviewed for this article. Litan says it can be difficult to convince CISOs that they need to do more to vet their potential clients.
"Data brokers make their money saying 'yes' to their customers," she says.
REAL CORPORATE DAMAGE?
The Ponemon Institute in 2006 estimated data breach cleanup costs to be $182 per lost record in a data breach. TJX, however, hasn't come near that total, leading many to wonder how much damage companies suffer. Brand name damage, as well as harm to the corporate reputation, is almost impossible to quantify, but a July 2007 Information Security article reported that TJX's stock price remained flat throughout the crisis. Others such as Boeing and Bank of America actually saw their stock rise over a period of time following a breach.
Adam Sills, lead underwriter for Darwin Professional Under- writers, says TJX and others may really suffer when third-party costs are passed to the retailer.
"Private liability is the big unknown but it's a critical element," he says. "This is where you can probably end up seeing serious costs."
Mark Baard is a freelance writer for Information Security.
Send comments on this article to email@example.com.
This was first published in January 2008