||DATA BREACHES AREN’T JUST BUSINESS ISSUES, THEY’RE PERSONAL
It certainly is not an intentional act by businesses to let data breaches happen. Even the smallest breach can cost tens of thousands in credit monitoring fees, and with budgets tightening even more this year, any size breach would not be a welcome expense. With that said, many companies are not budgeting assessments to ensure their infrastructure is impenetrable and their policies and access controls are being met.
When a breach compromises employee or customer data, it can devastate the life of these victims for years to come. The effects of a Social Security number being stolen, for instance, can have lasting consequences. There are those that use an unauthorized SSN to get a job, and then there are those who use it to assume the identity of another person to commit fraud, which can ruin a victim’s credit or put them into debt. But even if it is used for jobs only, it can affect the victim’s SSN benefits when needed later in life. A recent article called Two Lives, One Social Security Number recounts the struggle of one victim’s experience when discovering while opening her new 401(k) statement that there was another name on it.
The consensus of most companies that fail to protect identifiable information is that they will be exempt from prosecution and will not have to account for their negligence unless the victims can prove they suffered loss or harm from the breach. But recently, the FTC has declared that common sense will prevail over technical legal arguments when it comes to governmental sanctions, as they did with the ValueClick settlement ruling. They concluded “that enterprises could be found negligent for promising to protect user data but subsequently failing to implement the security precautions required to meet those