12 Pages Posted: 27 Jun 2012 Last revised: 21 Aug 2014
Date Written: 2009
The loss of private customer data such as Social Security numbers, credit card numbers, birth-dates, and other confidential information to unauthorized third parties presents a daunting set of challenges and legal obligations to affected businesses. Identity theft has been America's “fastest growing crime” since at least 1989 and although actual cost data is difficult to gauge, various studies estimate that the U.S. business community suffers direct domestic losses of fifty-six to one-hundred billion dollars per year. These rather staggering figures do not include significant additional tangential costs such as the criminal prosecution and incarceration of offenders.
Identity theft also directly costs private consumers over two billion dollars and one-hundred million hours of time per annum to resolve in the aftermath of having their identities stolen. The Privacy Rights Clearinghouse reports that over eight *50 million individuals were victims of identity theft in 2007 alone. That source also reports at least 900 business-related data breaches in the United States alone involving the compromise of over 245 million records containing personal information. Over the past two years, hackers, disaffected employees, and other cyber criminals have compromised data networks at TJ Maxx/Marshalls, Barnes & Noble, Bank of America, Wells Fargo, Stanford University, Princeton University, The Veterans Administration, Fannie Mae, and the City of San Francisco. According to the Department of Justice, reports of data breaches increased even more dramatically in 2008 with 656 reported breaches, reflecting an increase of 47% over the preceding year's total of 446. This includes a total of 35,691,255 stolen or otherwise compromised identities. According to that same study, only 2.4% of all breaches had encryption or other strong protection methods in use, and 8.5% of reported breaches had password protection.
Considering the enormity of these incidents, there is no way to be certain “how many other retailers, who might not be quite as careful, are already being breached?” As dependence upon data access, especially wireless applications, continues to grow, new vulnerabilities will be further exploited. Obviously, given the current risk environment, businesses are obligated to do their utmost to protect systems and ensure customer confidentiality. Unfortunately, in this same threat environment, careful consideration must also be given to planning and preparation for worst case scenarios. In the event of a major system compromise, who bears the cost of system restoration or customer reimbursements? What about negative publicity, loss of goodwill, and lawsuits? What constitutes minimum due diligence before and after a data-compromise? What steps should management consider post-breech? What are the legal consequences to our business, customers and other stake-holders? Should we purchase cyber-insurance?
Part one of this article addresses current infrastructure risks and the challenges associated with cyber insurance underwriting. Part two attempts to summarize what has become a rather complex legal and regulatory landscape. Part three addresses due diligence and post-breach best practices that may facilitate the retention of customer goodwill while minimizing business costs and legal liabilities.
Keywords: Risk management, corporate governance, data integrity preservation, identity theft prevention, operational imperatives, strategic imperatives, shareholder value, comsumer value, cyberspace, cybercrime, cyberwarfare
JEL Classification: K10, K42, L14, L15, L20. L21, L50, L52, L86, L96, M10, M11, M50, M51, O30, O31, O32, O33, O34, P41,
Suggested Citation: Suggested Citation
Winn, John I. and Govern, Kevin H., Identity Theft: Risks and Challenges to Business of Data Compromise (2009). Temple Journal of Science, Technology & Environmental Law, Vol. 28, No. 49, 2009. Available at SSRN: https://ssrn.com/abstract=2093493