Awhile back, I wrote an article for the “Security Catalyst” blog about the economics of data breaches. In the article, I wondered if companies should compensate customers for poor handling of their information, even before a breach. Since companies often roll the dice with poor security, they have little financial incentive to change their behavior unless a breach happens and it hits the bottom line.
Now, Hannaford, who helped to enable the exploitation of millions of credit card numbers by their poor handling of the information, may be forced to compensate the victims. At issue is whether one’s time and effort to prevent further damage to their identity, is worth compensation.
Previously, a judge ruled that since the banks offered the customer zero-liability protection, the customer wasn’t owed anything by Hannaford. That gave Hannaford some level of protection against costly lawsuits.
However, as the courts are now considering, one’s time may have value. If one is spending time trying to clean up Hannaford’s mess and prevent further harm, then maybe they should be compensated.
I agree that we need strong financial penalties to send the right message to the custodians of our information. Money seems to be the only thing most large corporations understand, so we need to make it more financially preferable to protect the information properly in the first place.
My concern is that we won’t really see improved security because of this. I envision the companies merely passing the breach cost off to consumers as they would an increase in corporate taxes. I’m not confident that they would “get it” and really start to take the responsibility of data custodianship seriously. That takes a conscience and that’s something many large companies lack.
To be fair, I’m also concerned that data breaches in companies who practice security very well would be seen as equivalent to those who shirked their responsibility. I work in the security profession and I’ll be the first to admit that even those who seem to be doing everything right have breaches. All it takes is one missing patch.
In the end, perhaps the solution to work toward is something of a hybrid between financial penalties for poor handling of information–even before a breach–and criminal penalties for the executives who enabled a breach to happen under their leadership. Just as one who is present at a murder scene can be charged as an accessory to a crime, perhaps an executive is also liable for enabling a breach to happen.
Finally, let’s not forget that the criminal who exploited the vulnerability is most at fault. Although the data custodians deserve their fair share of the blame, it takes someone at the other end of the keyboard doing something they shouldn’t be doing for a compromise to happen.