I hope Hannaford wins this case. Certainly there are negligent companies that should have to deal with litigation, but I am not convinced that Hannaford is one of them. This seems like another case where as soon as someone gets breached, they feel they can slap a lawsuit to get some easy money. That is just a very slippery slope, especially for those of us who know that you can never be 100% secure. Breaches will happen. Could Hannaford have done more…yes. Everyone could. Do they deserve this type of litigation? I don’t think so. We shouldn’t be setting a precedence like that.

http://pressherald.mainetoday.com/story.php?id=248452

A new financial institution data breach study has recently been published by Kevin Prince of Perimeter eSecurity. It analyzes breaches between 2000 and 2008. While several aspects of the study deserve individual discussion and attention, it is interesting that Kevin Prince did a podcast interview with BankInfoSecurity. In the podcast Kevin answers questions regarding compelling aspects of the study, sources of data breaches, the cost of data breaches, lawsuits and how they relate to data security breaches. Kevin also gives 6 things any business can do to reduce their exposure to data breaches. He discusses the Heartland, RBS WorldPay and Hannaford breaches.

If being PCI certification meant that 1) your network was free from hackers, exploit, and vulnerabilities on a given date 2) that you were impervious to attacks from them until now, and 3) that certification equaled security, then I think they would be okay. But it doesn’t. PCI represents the minimum standard of security for merchants. Someone like Heartland will have a difficult time hiding behind their PCI certificate when they process over 100 million credit card transactions each month. Their policies, procedures, and best security practices should be so far above PCI that it never comes up.

All that being said, the sophistication of hackers today can go far beyond what even responsible business can handle and prepare for. We don’t know enough about the Heartland breach to know what level neglegence plays yet! That will ultimately be what will make them pay or not. I don’t believe their PCI certificate will help much.

In our sue happy society, it doesn’t seem to matter how or why a breach occured. It doesn’t matter if the data was touched, manipulated, or used for any purpose (including fraud). It doesn’t matter if the data was found intact and unobserved. If you have a data security breach of just about any magnitude, it is almost certain that you will slapped with a class-action lawsuit.

The latest example is Starbucks. http://www.networkworld.com/news/2009/022309-starbucks-sued-after-laptop-data.html What companies need to worry more about is theft…especially of laptops. Observe the following charts.

Data Breach Sources of Incidents Between 2000 and 2008

Data Breach Source of Incidents 2008

The #1 cause of data security breaches is stolen laptops! There are only 4 states that require data breach disclosure if the data is encrypted. 2009 will be the year of the class-action lawsuits for data breaches. It will be interesting to do some analysis 1 year from now looking at which costs more, the data breach itself (costs to reissue cards, credit monitoring, forensics, etc.) or the lawsuits.

A firm in Philadelphia has filed a second class action lawsuite against RBS WorldPay in the amount of 20 million. This is after criminals stole 9 million in a highly coordinated ATM fraud scheme. See previous post here for more information.