Identity Theft: Risks and Challenges to Business of Data Compromise

John I. Winn

Shenandoah University

Kevin H. Govern

Ave Maria School of Law; California University of Pennsylvania; John Jay College


Temple Journal of Science, Technology & Environmental Law, Vol. 28, No. 49, 2009

The loss of private customer data such as Social Security numbers, credit card numbers, birth-dates, and other confidential information to unauthorized third parties presents a daunting set of challenges and legal obligations to affected businesses. Identity theft has been America's “fastest growing crime” since at least 1989 and although actual cost data is difficult to gauge, various studies estimate that the U.S. business community suffers direct domestic losses of fifty-six to one-hundred billion dollars per year. These rather staggering figures do not include significant additional tangential costs such as the criminal prosecution and incarceration of offenders.

Identity theft also directly costs private consumers over two billion dollars and one-hundred million hours of time per annum to resolve in the aftermath of having their identities stolen. The Privacy Rights Clearinghouse reports that over eight *50 million individuals were victims of identity theft in 2007 alone. That source also reports at least 900 business-related data breaches in the United States alone involving the compromise of over 245 million records containing personal information. Over the past two years, hackers, disaffected employees, and other cyber criminals have compromised data networks at TJ Maxx/Marshalls, Barnes & Noble, Bank of America, Wells Fargo, Stanford University, Princeton University, The Veterans Administration, Fannie Mae, and the City of San Francisco. According to the Department of Justice, reports of data breaches increased even more dramatically in 2008 with 656 reported breaches, reflecting an increase of 47% over the preceding year's total of 446. This includes a total of 35,691,255 stolen or otherwise compromised identities. According to that same study, only 2.4% of all breaches had encryption or other strong protection methods in use, and 8.5% of reported breaches had password protection.

Considering the enormity of these incidents, there is no way to be certain “how many other retailers, who might not be quite as careful, are already being breached?” As dependence upon data access, especially wireless applications, continues to grow, new vulnerabilities will be further exploited. Obviously, given the current risk environment, businesses are obligated to do their utmost to protect systems and ensure customer confidentiality. Unfortunately, in this same threat environment, careful consideration must also be given to planning and preparation for worst case scenarios. In the event of a major system compromise, who bears the cost of system restoration or customer reimbursements? What about negative publicity, loss of goodwill, and lawsuits? What constitutes minimum due diligence before and after a data-compromise? What steps should management consider post-breech? What are the legal consequences to our business, customers and other stake-holders? Should we purchase cyber-insurance?

Part one of this article addresses current infrastructure risks and the challenges associated with cyber insurance underwriting. Part two attempts to summarize what has become a rather complex legal and regulatory landscape. Part three addresses due diligence and post-breach best practices that may facilitate the retention of customer goodwill while minimizing business costs and legal liabilities.

Number of Pages in PDF File: 12

Keywords: Risk management, corporate governance, data integrity preservation, identity theft prevention, operational imperatives, strategic imperatives, shareholder value, comsumer value, cyberspace, cybercrime, cyberwarfare

JEL Classification: K10, K42, L14, L15, L20. L21, L50, L52, L86, L96, M10, M11, M50, M51, O30, O31, O32, O33, O34, P41,

Open PDF in Browser Download This Paper

Date posted: June 27, 2012 ; Last revised: August 21, 2014

Suggested Citation

Winn, John I. and Govern, Kevin H., Identity Theft: Risks and Challenges to Business of Data Compromise (2009). Temple Journal of Science, Technology & Environmental Law, Vol. 28, No. 49, 2009. Available at SSRN: http://ssrn.com/abstract=2093493

Contact Information

John I. Winn
Shenandoah University ( email )
United States
Kevin H. Govern (Contact Author)
Ave Maria School of Law ( email )
1025 Commons Circle
Naples, FL 34119
United States
(239) 687-5390 (Phone)
HOME PAGE: http://www.avemarialaw.edu/faculty/profile/Kevin.Govern
California University of Pennsylvania ( email )
250 University Avenue
California, PA 15062
United States
(845) 234-8532 (Phone)
HOME PAGE: http://www.calu.edu/academics/faculty/Kevin-Govern.aspx
John Jay College ( email )
524 West 59th Street
New York, NY 10019
United States
(845) 234-8532 (Phone)
HOME PAGE: http://www.jjay.cuny.edu/faculty/kevin-govern
Feedback to SSRN

Paper statistics
Abstract Views: 681
Downloads: 134
Download Rank: 150,313

© 2016 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollobot1 in 3.516 seconds