Search This Blog

Saturday, November 03, 2007


CREDIT BUREAUS, DATA BREACH LEGISLATION AND MISSED OPPORTUNITIES


New York Senator Charles Schumer, a Democrat, just threatened legislative action if credit bureaus make consumers pay for credit freezes. The big three credit bureaus, Experian, Equifax and TransUnion are charging $10 each, thus, a total of $30 to cover all three, according to junk mail publication, DM News. OK, let’s do some math. Remember ChoicePoint—it’s almost as familiar as "Remember the Alamo" these days—and their breach of 163,000 individual records back in February of 2005? This was a result of Nigerian ID thieves heisting the sensitive data for the purpose of stealing consumers’ identities, resulting in potentially 3,800 victims of ID theft based on FTC figures. Our first mathematical equation multiplies 163,000 times $30.00 equaling $4,890,000, which is the amount paid by Consumers and revenue received by credit bureaus for credit freezes in just the ChoicePoint breach. The second equation which multiplies 3,800 times $5,720 (fraud amount lost per victim) equals $21,736,000 total victim loss just for the CP breach. So the American consumer who did absolutely nothing wrong in this incident ends up spending a total of $26,626,000 for future protection, and to clean up someone else’s mess. Pathetic. And on the legislative front, the data breach Bobsy Twins, Senators Patrick Leahy and Arlen Specter, have introduced yet another bill, the Identity Theft Enforcement and Restitution Act, which would allow consumers to seek relief from costs involved in an identity theft. (See article) How many times have we been to this well before with no results? Leahy and Specter appear to have the consumer’s best interest at heart, but they can never get the job done, and that is the history of the U.S. Congress we are saddled with now. The author of the arstechnica.com piece above relates to William Faulkner in describing the issue. He confirms that congressional leaders do make a lot of noise over the problem, but he adds: “Unfortunately for residents of the US, the legislative branch of our government has proven itself to be full of sound and fury, signifying nothing when it comes to this issue.” Very well said. Now, how many of you have heard that an appeals court has dismissed a lawsuit that would have compensated certain data breach victims? Affected would be those who have not actually suffered economic harm from the breach, but who had to spend time and money, like credit monitoring or freezes, to prevent potential losses. It was class action litigation against Old Nat’l Bancorp. which operates a Web site for individuals looking for financial services. The data breached from Bancorp.’s hosting facility was name/address, Social Security number, driver’s license number, date of birth, mother’s maiden name and some other financial account information. What more could ID thieves ask for? The Seventh Circuit Court in its decision said that emotional damages suffered over the breach weren’t actual out of pocket losses, thus, they didn’t count. I have talked to one very sharp legal mind that doesn’t necessarily agree with this assumption. However, the problem rests with the Indiana law on which the case is based. The court says basically that the state law, as it is written, did not intend for this type of victim to have a cause of action against the breaching company. Just another example of weak state law when it comes to the identity crisis and another missed opportunity for the consumer.

No comments: