[Dataloss] What is my data worth?

George Toft george at myitaz.com
Mon Sep 25 02:22:44 EDT 2006 

Numbers I've seen . . .

According to Consumer Reports, the average phishing theft victim suffers 
an $800 loss.  Let us assume that the same metric can be used for 
"general" ID theft.

In 2002, an ID thief employed at the same company where I was working 
was busted for selling ID's on the Internet for $50/each.  He ripped off 
a competitor's employee database and was selling it off.  Sad thing was 
the FBI was tracking him for 4 years before they busted him.

I've read of numbers higher and lower than that, but that's about the 
going wholesale rate for an ID.  Retail seems to be about $140, based on 
a NY Times article.


Liability considerations . . .
I'm not sure this metric could be used to establish damages, but it 
would weigh heavily in proving negligence.  Assume a CPA has 500 
client's information stored on a hard drive.  Using the numbers above, 
that hard drive is worth $25K - $70K (wholesale vs retail).  If someone 
regulated by Federal Regulations (GLBA) failed to take the required 
actions to protect a $25K device that caused 500 people $800 damage each 
(total of $400K in damages), I think the plaintiffs have a good case for 
a suit.

Many states are writing a stipulation into their data protection laws 
where the victim can recover actual costs from ID theft from the company 
that lost it.  IMHO, it would be a clear case of negligence to not spend 
the few thousand dollars to protect yourself from a 6 figure law suit.

Disclaimer: I am not a lawyer.


Personal story . . .
I met with a CPA recently.  We discussed his obligations under GLBA to 
protect his client's information.  His only question was whether or not 
his insurance company required a risk assessment (which GLBA requires). 
  He had absolutely no intension of complying with GLBA unless his 
insurance company required it.

I then explained the scenario to my insurance company and asked them if 
they would pay out on a liability law suit if I failed to comply with 
Federal Law.  Their answer: maybe.


Final tidbit . . .
I have yet to meet a company regulated by GLBA that was in full 
compliance.  I would even go so far as to say 95% of the companies bound 
by this regulation have never heard of it, therefore don't know their 
obligations.  (Based on telephone interviews we've conducted in Phoenix, 
that number is closer to 98%.)

The problem is only going to get worse.

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.


Jason Lewis wrote:
> I was reading about various lawsuits against companies/entities that 
> have had data breaches and I got to thinking. Has anyone done any 
> research into how valuable my data is?  I would think that would go a 
> long way in estimating losses.
> 
> For example, an advertiser is interested in target demographics, how 
> much will they pay for info about me and my spending habit, credit card 
> debt, loans, etc.
> 
> How much is the average consumer's data worth?  Is it even reasonable to 
> try and figure out that cost when trying to punish entities that lose 
> the information?
> 
> jas
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 146 million compromised records in 366 incidents over 6 years.
> 
> 
> 
>

More information about the Dataloss mailing list