Latest Data Breach Costs Could Exceed $5 Billion

Monday, October 31, 2011

Brian Dean


Recently, a suit filed in Washington DC names the US Department of Defense for allegedly breaching 4.9 million records.  

The records are said to include active and retired military persons’ personal information and that of their families.  The class action suit seeks $1,000 in damages for each compromised record or $4.9 billion.  

Yes, “b” as in billion.  

The alleged breach consisted of unencrypted back-up tapes consisting of names, addresses, personal health information, Social Security numbers, and other data.  The tapes were stolen from Science Applications International Corp. (SAIC), a TRICARE contractor.

In light of recent well publicized data breaches, Heartland Payment Systems (130 million records), Sony (77 million records), TJ MAXX (45.7 million records), and Card Systems (40 million records) the cost of cleaning up this specific breach is elusive, but the judgment sought is a sobering figure at $4.9 billion!

The suit alleges, "intentional, willful, and reckless disregard."  This subjective interpretation of the incident suggests, short a preponderance of facts reinforcing the allegation, that a settlement is likely.

The suit also seeks credit monitoring services.  Costs for these services often exceed $30-$50 a year per enrollee.  

Typically, 22% of impacted consumers enroll, but even a conservative 20% of 4.9 million at $40 represents a bottom line $39.2 million expense.  

The cost of credit monitoring, the subset of the $4.9 billion settlement, and public backlash is a clear indication that safeguarding sensitive information is not just good business, but a business imperative.

In other words, failure to have documented safeguard controls in place may not only threaten your company’s bottom-line, but its financial viability.  

Thus, it is prudent for companies that collect, process, or store Personally Identifiable Information (PII) to perform an annual risk assessment and validate the effectiveness of the data protection controls.

These are just more data points for building a solid business case to fund information safeguarding improvements and increased due diligence of vendor management programs.  

SecureState recommends that organizations receiving PII become intimately familiar with all of the applicable security and privacy requirements for their industry and geographical footprint, in order to understand minimum protection requirements, industry best practices, as well as the consequences of noncompliance. 

Cross-posted from SecureState

Possibly Related Articles:
General Legal
Encryption breaches Compliance Risk Assessments DoD Personally Identifiable Information Lawsuit
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.