Abstract

I. INTRODUCTION A. Large Scale Data Breaches The term is generally and broadly defined to include organization's unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information, which can include personally identifiable information such as Social Security ... numbers, or financial information such as credit card (2) Since 2005, there has been a rash of reported high-profile data breaches involving the compromise of large volumes of personal information. (3) This rash began with the reported compromise of 163,000 consumer financial records from the computer systems of a large consumer data broker, Choicepoint Inc., in February 2005. (4) Choicepoint's security breach became public after it notified approximately 35,000 California consumers, pursuant to California law, that it may have disclosed their personal records. (5) The California law at issue had been passed in 2003, making it the first state to enact legislation requiring consumer notification in the event of a security breach involving the unauthorized acquisition of personal information. (6) In response to the increased fears of identity theft resulting from these publicized breaches, a majority of states have since followed California's lead and passed security breach notification laws. (7) Often, large scale data breaches involve the compromise of personal financial information, such as credit or debit card information, rather than other types of personally identifiable information, such as Social Security numbers. (8) Three of the larger, more highly publicized data breaches in recent years, including DSW, Inc., (9) CardSystems Solutions, Inc., (10) and TJX Companies, Inc., (11) have involved the compromise of millions of credit and debit card information. In these cases, hackers targeted the credit and debit card information held by merchants or third party data processors as the result of credit and debit card retail transactions. The compromise of credit and debit card information most often results in the type of identity theft referred to as account takeover, which involves fraud on existing financial accounts. (12) Account takeovers occur, for example, when a criminal uses a stolen credit card number to make fraudulent purchases on an existing credit line. Account takeovers are the more common type of identity theft, in contrast to a second type of identity theft referred to as creation. (13) New creations involve the fraudulent creation of new accounts, for example, when a criminal uses stolen data to open a bank or credit card in someone else's name. (14) Often, in order to engage in this type of identity theft, the criminal must steal more personal information than merely credit and debit information. (15) Accordingly, if individuals suffer any harm as a result of a large scale data breach, that harm is most likely to be in the form of unauthorized use of a debit or credit card on an existing account. (16) This harm often results in little or no economic loss for the individual because consumer liability for unauthorized credit and debit card use is limited by law (in most cases to $50).17 Nonetheless, the individual may suffer significant non-monetary losses such as invasion of privacy, inconvenience, and reputation damage. Moreover, the economic loss for both the financial institutions issuing payment cards and the corporate entities from which cardholder information is stolen is significant. Issuing financial institutions may experience three types of losses, including (1) costs associated with reissuing new payment cards, (2) costs associated with monitoring open accounts for fraud (with or without reissue), and (3) fraud losses. (18) Merchants, data processors, and other companies suffering from the breach, in turn, face significant losses in the form of lawsuits, (19) credit card association fines, customer notification costs, stock price decline, lost business, and loss of existing customer confidence. …