Clifford’s Notes, Chicago Lawyer April 4, 2014
By Robert A. Clifford
My 93-year-old mother does not communicate by e-mail. She doesn’t use a computer. She pays her bills by check. She doesn’t have a cellphone.
However, when stores such as Target or medical providers such as Advocate Medical report a data breach, she still worries that someone may steal her identity.
Names, addresses, credit card numbers, card security codes, phone numbers, e-mail addresses and, in some instances, Social Security numbers are believed to have been stolen in various breaches. The chaos has everyone asking, “How do I protect my identity?”
And the worst of it is the American public isn’t even being informed of what is really going on. One has to follow Brian Krebs, the “cybersecurity blogger the hackers love to hate,” who is credited with breaking the story on the Target data breach.
The 41-year-old former Washington Post reporter told Business Week in January he received a bag of feces in the mail. He says he’s not satisfied with reporting the breaches; he wants to find out the hackers who are behind it. He’s also credited with discovering the malware that allegedly infected point-of-sale systems at Target checkout counters through memory scraping that allowed the data to be stored on magnetic stripes to create cloned cards.
One wonders why Target itself wasn’t immediately forthright with the data breach. First, it was reported that 40 million people were affected. Then, 70 million. Now it’s up to 110 million. And that number may still grow.
Krebs was one of the first to report the story of a possible security breach of customers of Michaels, an arts-and-crafts chain with stores in the Chicago area. And then comes word that Coca-Cola is reporting that data of 74,000 employees, vendors and contractors was exposed from unencrypted stolen computers. This data included names, Social Security numbers and addresses as well as financial compensation and ethnicity. When will this end?
A recent Wall Street Journal article reported that the Identity Theft Resource Center in San Diego found at least 619 data breaches last year, which equated to 57.8 million customer records. That’s compared to fewer than 200 data breaches in 2005 and more than 400 in 2011.
It has been known for many years that hackers had the ability to steal information, and standards exist so that retailers may protect against breaches. So I find it unacceptable that major stores or medical providers did not take reasonable security measures to protect their customers’ or patients’ information — while being more than willing to take their personal information and then store it for many years, mostly for marketing initiatives.
Credit-monitoring services and identity-theft insurance can be of minimal help once the thief has your information. The credit-monitoring service does not detect all fraudulent uses of your credit information.
A credit-monitoring service, for example, will alert the customer when someone is trying to open new lines of credit, but it doesn’t reveal when someone uses a credit card to make fraudulent charges. Many rely upon their credit card companies to alert them of suspicious activity.
The Wall Street Journal article offers some tips to consumers about what they can do to protect their identities — from alerting credit card issuers to tell you by phone if a charge goes beyond a certain dollar amount to placing a “fraud alert” on your credit report with one of the credit bureaus that will require extra steps of the person to confirm his or her identity when applying for credit.
But that still doesn’t help the millions who have suffered from medical data breaches or the Coke employees who learn their private information has been compromised.
It will be interesting to see how the courts handle these cases that involve millions of people.
Certainly a class-action process is necessary, but ensuring that everyone is kept informed throughout protracted legal proceedings may prove onerous as people move, change their contact information and pass away. And although many may not suffer actual identity theft, isn’t there something to be said of the distress in worrying about what is happening to one’s credit and in going the extra lengths to pay for credit monitoring protection and insurance?
Or what about the fact that the price of every product or service you purchase, from a book to medical care, includes a cost component passed along to the consumer that is allocated for the technical systems and security that retailers say is necessary for handling your sensitive personal and financial information? Why does a retailer charge consumers for that purported technical security to protect consumers’ privacy if the retailer does not intend to supply adequate security?
Although Congress is working on stronger cybersecurity measures, it just may be the courts that define the accountability of a company for a data breach that may ultimately make companies more responsive and more responsible.
In the meantime, look for that Hollywood movie on Krebs.