Recently, a suit filed in Washington DC names the US Department of Defense for allegedly breaching 4.9 million records.
The records are said to include active and retired military persons’ personal information and that of their families. The class action suit seeks $1,000 in damages for each compromised record or $4.9 billion.
Yes, “b” as in billion.
The alleged breach consisted of unencrypted back-up tapes consisting of names, addresses, personal health information, Social Security numbers, and other data. The tapes were stolen from Science Applications International Corp. (SAIC), a TRICARE contractor.
In light of recent well publicized data breaches, Heartland Payment Systems (130 million records), Sony (77 million records), TJ MAXX (45.7 million records), and Card Systems (40 million records) the cost of cleaning up this specific breach is elusive, but the judgment sought is a sobering figure at $4.9 billion!
The suit alleges, "intentional, willful, and reckless disregard." This subjective interpretation of the incident suggests, short a preponderance of facts reinforcing the allegation, that a settlement is likely.
The suit also seeks credit monitoring services. Costs for these services often exceed $30-$50 a year per enrollee.
Typically, 22% of impacted consumers enroll, but even a conservative 20% of 4.9 million at $40 represents a bottom line $39.2 million expense.
The cost of credit monitoring, the subset of the $4.9 billion settlement, and public backlash is a clear indication that safeguarding sensitive information is not just good business, but a business imperative.
In other words, failure to have documented safeguard controls in place may not only threaten your company’s bottom-line, but its financial viability.
Thus, it is prudent for companies that collect, process, or store Personally Identifiable Information (PII) to perform an annual risk assessment and validate the effectiveness of the data protection controls.
These are just more data points for building a solid business case to fund information safeguarding improvements and increased due diligence of vendor management programs.
SecureState recommends that organizations receiving PII become intimately familiar with all of the applicable security and privacy requirements for their industry and geographical footprint, in order to understand minimum protection requirements, industry best practices, as well as the consequences of noncompliance.
Cross-posted from SecureState