INT. SECURE VAULT — NIGHT
An impenetrable vault. Walls 3 feet thick. Smoke reveals laser motion sensors and heat sensors. A biometric iris scanner restricts access. Television monitors show every angle of the room. Dozens of heavily armed GUARDS await the alarm that will spring them into action. Our HERO has to break in. His gloved hand gently jiggles the door handle, testing it, probing it. He looks up — he has discovered the vulnerability. As he pivots, the KLAXON goes off. The guards begin to descend on his location. He hides in the bushes. The guards, finding no evidence of break-in, withdraw. HERO slithers back to the door, jiggling the handle again. KLAXON goes off again. The scene is repeated, twice, three times, a dozen times. Finally, a guard flips the MASTER SWITCH to the OFF position.
Our HERO is in.
Dear valued Home Depot Customer…
That’s how the latest communication goes. Yet another notice of yet another data breach. TJ Maxx, Target. Now Home Depot. With each successive breach notification, the consumer gets more and more calloused. They stop caring. And that attitude means that consumers are less likely to demand change, rather than more likely.
For too long, consumers have been told that the sky is falling. That their personal data is at severe risk. That the world will come to an end. That we need a new system of authentication other than user id’s and passwords. That we need a new payment system.
We do. But not because of breaches.
Data breaches are the symptom of the problem. They are not the problem itself.
Data breaches are the reason to sell the solution. Not the source of the solution itself.
After the Home Depot breach, we don’t see people clamoring for new solutions. We barely see any news coverage. No hit to the stock price. No people flocking in droves to Loews. Just a shrug of the shoulders, maybe a check of a credit card statement, maybe a call to a credit card issuer for a new card. In other words, just a normal Tuesday afternoon. Like the apocryphal story of the frog in boiling water — we get used to it. Consumers have realized that, for the most part, their lives aren’t at risk. Their day-to-day operations aren’t at risk. For the majority of data breaches, what IS at risk is their credit card balance. And guess what? That is what we in the law call “SEP.”
Someone Else’s Problem.
Under Federal Reserve Board Regulation E contained in 12 CFR 205, the consumer has little if any liability for the misuse of their credit card or credit card number, or for the misuse of their debit card or debit card number. That means that, if your credit card number is compromised, you are not liable for fraudulent transactions. That’s not always true for commercial transactions which are governed for the most part by the Uniform Commercial Code (UCC) Section 4A (more on that in an upcoming article). So as long as you check your credit report at www.annualcreditreport.com, check your credit card statements, and notify your bank if you think you are the victim of fraud, (or get a new credit card anyway) you’re golden. Mostly.
We no longer blame the companies that suffer data breaches. Mostly. We assume (correctly) that everyone is vulnerable. Whether it is healthcare.gov being breached, or JPMorgan Chase suffering a data loss at the hands of Russian hackers we pretty much expect some if not all of our data to be at risk.
So the free market is supposed to decide how much security we demand. And if we shrug, then the free market won’t really do anything.
Enter the Lawyers
The real costs of data breaches these days are the costs of notification, amelioration and litigation. Already a class action lawsuit has been filed against Home Depot for both the breach and the failure to timely notify consumers about the breach. More will come. Target had more than 30 separate class action lawsuits filed. See, lawyers don’t shrug. They sue. Often. For a lot of money.
The problem with the free market for security is that we tend to get complacent. We accept loss of our data as normal. It’s just routine. And unless we demand better security, that’s all it will be. Routine.