A number of the largest ever computer security breaches have occurred over the past several months. For example, at the end of March, computer hackers stole the names and email addresses of customers of Barclayscard US, Capital One and other large firms from the email provider Epsilon. Then in April, 2011, reports suggest that hackers obtained credit card information and other personal identifiable information of potentially 77 million Sony Playstation users in 59 countries. There have also been a number of other large scale attacks since then. While it is extremely difficult to measure with precision the total costs and damages caused by a security breach, especially for ones as large as these, it is estimated that Epsilon and Sony may be out tens of millions of dollars. According to one estimate, the average cost to respond to a breach in 2010 was more than $300 per affected customer. Thus, if the estimates are correct, Sony could be facing a bill of more than $20 billion just for notifying affected customers.
These incidents raise a number of technical and legal issues that any company storing sensitive information, especially government contractors and health care providers, should address in order to reduce their exposure in the event that they also become a victim of a computer intrusion. In particular, the intrusions, especially the one involving Sony highlight the importance that companies not only have sophisticated computer security systems in place, but also have a contingency plan in place on what to do should the system fail and there is a successful computer intrusion resulting in stolen data.
Whether the computer security of the companies that have recently been victimized by hackers met industry standards is beyond the scope of this article and is a matter best left to experts in this field, however, how the companies reacted once they learned that they had been a victim has led to far greater scrutiny and potential exposure than if they had acted more forcefully from the beginning. Indeed, in the case of Sony, its reaction to the breach has arguably played a large part in it being sued, subjected to a Congressional inquiry, and investigated by the United States Department of Justice.
Regardless of how secure companies believe their computer system to be, they still can be the victim of a computer intrusion and, thus, it is essential for companies have a plan for how to respond to an incident involving the breach of a computer system or the loss of confidential information. In response to a security breach, a company can (1) ignore the incident altogether; (2) implement security measures to defend against further attacks; (3) defend against further attacks by implementing security and by reporting the incident to the authorities for criminal prosecution or by bringing a civil action against the perpetrators;/or (4) perform surveillance and counterintelligence. Given the critical nature of computer systems, it is extremely unlikely that the first approach would be considered an adequate response and whether to implement responses 2-4 would demand on the nature and scope of the intrusion and whether the individuals responsible for the attack can be identified.
Therefore, it is essential that companies either have computer security experts in-house or have a pre-existing relationship with outside computer security experts who will be prepared to act as soon as being notified of the breach to conduct an analysis and to, at a minimum, secure the system and to help determine the next steps. Sony sought to explain its delay in notifying customers of the breach by stating that “[i]t was necessary to conduct several days of forensic analysis . . . We then shared that information with our consumers and announced it publicly yesterday evening.” Right now, only Sony knows whether it could have informed its customers more expeditiously.
In cases in which personal identifiable information or credit card information is obtained, companies have no choice but to report the breach to the relevant authorities and to notify the individuals whose personal or financial information was compromised. In that regard, it is essential that the company notify such individuals as soon as possible so the affected individuals can take prompt action in response such as by notifying their credit card provider. Companies should also consider what, if anything, they are willing to offer the victims as compensation. A popular form of compensation so far has been offering to pay the cost of credit checks for the victims for a period of time. Whether victims will be satisfied by such an offer is still an open question.