Lose My Data, Pay Me $1,000

Opinion: If companies had to pay $1,000 for each customer inconvenienced by lost personal data, they would shape up on their security in a hurry.

Veterans groups may have accidentally found the remedy for companies lax protection of customer information. The cure: $1,000 for each person affected by a data breach.

The veterans groups behind a massive class-action lawsuit against the U.S. Department of Veterans Affairs, which opened the door for the personal information of 26.5 million veterans to be stolen from an employees home, are seeking damages of $1,000 for each person affected.

And while the suit doesnt affect the corporate world, its not a bad idea.

The lawsuit charges that the VA "flagrantly disregarded the privacy rights of essentially every man or woman to have worn a United States military uniform."

To make amends, the plaintiffs want $1,000 in damages for each person listed in the database that was stolen. Add it up and thats damages of $26.5 billion. Ouch.

Now, Im not the lawsuit-lovin type, but this case could provide a eureka moment. Disclosing breaches as required by California law only results in public scorn thats forgotten faster than the fifth-place finisher in "American Idol."

Meanwhile, regulators come up with wimpy fines. In January, the Federal Trade Commission levied $15 million in fines against ChoicePoint, an aggregator of consumer data whose lax procedures for disclosing personal information of 163,000 individuals to fraudsters.

The FTC had charged ChoicePoint with violating the Fair Credit Reporting Act, among other issues.

While $15 million is a big chunk of change, it only amounts to half of ChoicePoints net income for the quarter ending March 31. Woopie.

Its high time consumers got a little more blood out of companies that cant protect data. Enter the $1,000 benchmark, which well call the $1K rule, from Rosinski. Under that benchmark, ChoicePoint should have been fined $163 million.

Clearly were on to something with this $1K rule. With enough financial pain, maybe companies will even encrypt data on laptops (a novel thought), restrict access to personal data (now were cookin) and even—gasp—not collect so many unnecessary data points in the first place (will never happen).

Under the $1K rule, the YMCA—which reported that a laptop containing the customer records of about 65,000 individuals, including debit card, credit card and Social Security data, was stolen—would face $65 million in pain (safe to say it wouldnt be too much fun to stay at the Y-M-C-A after that).

Hotels.com and auditors at Ernst & Young would have to pay $243 million after warning that the personal data of roughly 243,000 customers was exposed at the online travel site.

Are the fines Draconian? Yes. Effective? You bet. But with a little pain, companies will get their security act together. Im starting to feel better already.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.