Chuck's Blog

Bill writes:

Question: When is a laptop worth $1 billion?

Answer: When the company that owns it is found liable for a large scale identity theft.

True story: A major financial institution lost a laptop containing detailed personal information about me and more than 100,000 fellow employees and former employees (Full disclosure: not EMC employees).

The laptop doesn’t seem to have gotten into the hands of identity thieves, at least so far. But what if it had?

INJURY

Do IT problems cause injuries?   Well, no one dies. But if your identity is stolen and you can’t get credit, you can’t check into a hotel in a normal way, collectors call day and night, etc., etc., my friend, you have been injured.

LARGE SCALE

If 10% of 100,000 people had their identities stolen, that’s a lot of stolen identities.

DAMAGES

How much is identity theft worth? Would you consent to have your identity stolen for $20,000?  I wouldn’t. Do you think an aggressive lawyer could convince a jury it was worth $100,000?

NEGLIGENCE

Is it foreseeable (the legal standard) that carelessly losing a laptop containing detailed & confidential personal information might cause identities to be stolen? Would you bet $1 billion that a court will say no?

This is not an academic exercise. Laptops go missing. Tapes fall off trucks. By my math 10,000 injuries worth $100,000 each come out to….

Well, it’s one very expensive laptop.

Schlemiel, Schlimazel

A schlemiel is a guy who spills his soup. A schlimazel is the guy he spills it on.

When enterprise data gets lost, the schlimazel sometimes gets worse than the schlemiel.

Suppose the credit card processing operations of a major merchant (airline, big box store, etc.) were hacked and a credit fraud ring stole detailed personal information about all their customers.

Lots of victims. Lots of bad press.

There are three parties to the problem:

• The merchant that lost the information
• The victims (the people whose personal data was stolen)
• The card issuers (Visa, AMEX, etc.)

Even if the merchant alone was hacked and the card issuers did nothing more than issue the cards and accept them for payment, there is still a pretty good chance the issuers would get sucked in.

Why?

Would the media refrain from blaming Visa just because they hadn’t done anything wrong?

Would plaintiff’s attorneys refrain from suing AMEX and restrict their demand for money to the party that actually caused the loss? (Actually, as I think about this one, it’s too remote a possibility to raise even as a question.)

And so the card issuer, apparently blameless, becomes the schlimazel in this little example.

Tape Falls Off Truck, News at 11:00

IT news rarely gets on TV. Data loss is an exception.

Let’s suppose a tape containing personal medical records of a quarter of a million war veterans went missing and was published maliciously on the Internet.

First rule of television journalism; “If it bleeds, it leads”. And there would be enough blood to last weeks.

Victim interviews would provide the “up close and personal” visual content that television craves. (The man with psychiatric problems, the women with STDs. Each suitable for a 3 minute segment.)

And who is accountable? Who should pay?

It would be a great story.

The point of all of this is that in the age of the Internet, in the age of 24x7 news and mass torts, protection of enterprise data is a special IT problem.

A single careless act can give rise to the worst sort of PR nightmare. Financial liability can move share prices.

But there are also technologies to mitigate the threat -- but are people using them?

And what sort of liability does that create?

----------------------------

Thanks, Bill.  I don't think there are many IT people who want to cross swords with a good lawyer.