Your phone rings. It's Special Agent Bert Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered where the personal data appear to have come from: your company. The victims are some of your customers.
Your mind begins to whirr. Are there other customers affected who haven't been identified yet? Is it a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of a class action lawsuit?
You recall reading that each identity theft victim will on average spend $1,495, excluding attorneys' fees, and 600 hours of their time to straighten out the mess, typically over the course of a couple of years. For out-of-pocket costs alone that is, say, $2000 per victim. Multiplying that by 10,000 customer victims equals $20 million. Adding as little as $15 per hour for the victims' time and you get $11,000 per case or $110 million in total even before fines and punitive damages are considered. And that's on top of the potential impact on your company's future sales.
...
http://www.law.com/jsp/cc/pubarticleCC.jsp?id=1112090711870
Posted by iang at April 7, 2005 12:09 PM | TrackBackI think, this is a typical case of the tragedy of commons. If a secret is shared by more than two parties, nobody can identify the source of the leak. So, the damages are shared, the benefit is private.
I think that any security-concious design should avoid secret-sharing between more than two parties in one step.
Each secret-sharing should be an individual contract with two parties and clear identification of the consequences if the secret leaks.
There should be no corporate responsibility for secrets: only personal. Otherwise, it will be sold, extorted, stolen. The price that the individual is willing to pay for protecting shared secrets for which he is not personally and exclusively repsonsible is abysmally low. And rationally so.
Posted by: Daniel A. Nagy at April 7, 2005 03:43 PM"You recall reading that each identity theft victim will on average spend $1,495, excluding attorneys' fees, and 600 hours of their time to straighten out the mess,"
Does anyone know whether or not an identity theft SOP is available?
That is, does the 600 hours mean that people are usually first victims of identity theft and part of that 600 hours (the larger part) is discovery what to do; where to turn etc ...?
If there isn't an identity theft 'How to recover from identity theft' SOP 001; shouldn't someone around here think of writing one? (iang? How about a post - what should go into an identity theft SOP?)
Posted by: Darren at April 8, 2005 04:06 AMworking on x9.99 privacy standard for the financial industry, one of the issues that came up was distinguishing between 1) acquiring enuf information to open new accounts in the victim's name and 2) acquiring enuf informaiton to perform fraudulent transactions on existing accounts.
x9.59 was designed that it could make use of AADS technology (which we had invented)
http://www.garlic.com/~lynn/index.html#aads
however, x9.59 was primarily a business process solution to fraud, eliminating the ability for criminals to do fraudulent transactions
http://www.garlic.com/~lynn/index.html#x959
with skimmed/harvested data
http://www.garlic.com/~lynn/subpubkey.html#harvest
a major issue was the value to the crooks tended to far exceed the ability of most organizations to protect the data; security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61
the 1997 business requirement for AADS chip was to meet the power & elapsed-time requirement used for the mitsubishi/sony contractless chip used in the HK transit system. such chip/technology was available by the AADS conference in jan. 1999
http://www.garlic.com/~lynn/aepay3.htm#riskm
and was demo'ed at the 1999 BAI show in Miami
http://www.garlic.com/~lynn/99.html#217
and an AADS hardware token was used in the NACHA debit payment trials in 2000 (Star & Fiserve doing implementation), 9/98 AADS NACHA project proposal:
http://www.garlic.com/~lynn/nacharfi.htm
6/2001 report on results:
http://internetcouncil.nacha.org/News/news.html