Your phone rings. It’s Special Agent Bert Ranta. The FBI is investigating a crime ring involved in widespread identity theft. It has led to millions of dollars of credit card and loan losses for lenders, and havoc in the lives of the 10,000 victims. By identifying links between the victims, the FBI has discovered where the personal data appear to have come from: your company. The victims are some of your customers.
Your mind begins to whirr. Are there other customers affected who haven’t been identified yet? Is it a hacker or an inside job? Is your company also a victim here, or could it be on the wrong end of a class action lawsuit?
You recall reading that each identity theft victim will on average spend $1,495, excluding attorneys’ fees, and 600 hours of their time to straighten out the mess, typically over the course of a couple of years. For out-of-pocket costs alone that is, say, $2000 per victim. Multiplying that by 10,000 customer victims equals $20 million. Adding as little as $15 per hour for the victims’ time and you get $11,000 per case or $110 million in total even before fines and punitive damages are considered. And that’s on top of the potential impact on your company’s future sales.
The nation’s fastest growing crime, identity theft, is combining with greater corporate accumulation of personal data, increasingly vocal consumer anger and new state and federal laws to create significant new legal, financial and reputation risks for many companies.
Criminals have realized that stealing confidential personal information can be extremely profitable. Hard-core hackers, street criminals, and domestic and international organized crime rings have flocked to the high-reward, low-risk arena of personal data theft, with staggering results. According to the most recent data available from the Federal Trade Commission (FTC), U.S. businesses and financial institutions lost approximately $48 billion as a result of these crimes in 2002.
The FTC estimates that over 24 million people in the United States have had their identity stolen. The $11,000 damage figure per case developed above, represents over $26 billion of potential liability if fault can be ascribed to the data holder. Customer and employee databases are prime targets for identity thieves because a single vulnerability in a company’s information security can yield access to personal data on thousands of persons. In addition to the growing threat of class action lawsuits, new laws are coming into effect to hold organizations responsible for securing personal data. Companies should evaluate this risk and consider taking action to reduce their potential liability.