TeamSHATTER

Should Offering “Free Credit Monitoring Services” Absolve Data Breach Negligence?

Lately it seems as if a day doesn’t go by that we don’t hear about another data breach. And nowadays, they come in all flavors. Nefarious outsiders. Crooked insiders. Hacktivists looking to make a point. And even accidents resulting from some sloppiness or lax behavior by employees or trusted third-party partners.

This week alone, the headlines were dominated with data breaches and related news. From the Symantec source code breach of its pcAnywhere product, to the EU seeking to establish 24-hour breach notification legislation, to O2’s leak of customer mobile phone numbers, to the New York State Electric & Gas and Rochester Gas and Electric data breach. And the list goes on. From this week alone. Even the Ponemon Institute put out a report this week titled, “Aftermath of a Data Breach Study”. And last week, the Zappos data breach dominated the headlines. You get the point.

Breaches are going to continue to happen. That’s just how it is. What irks me is how some of the breached organizations treat the real victims, their customers who were affected as a result of the breach. The default answer seems to be companies offering to pay for free credit monitoring services for a designated period of time and then call it a day. So, you mean to tell me that as a result of your negligence in protecting the information that you were provided, and trusted with, in order to do business with you, the answer is to foot the bill and provide a service to make sure nothing else happens to the breached data? Of course, that is assuming that the personal information hasn’t already been exploited in some fashion or will be used in other ways that a credit monitoring service won’t notice. And it fails to take into account the time, aggravation and inconvenience spent dealing with having to rectify any challenges that resulted from the data breach prior to the offer of the “free” monitoring services. How is this an equitable solution?

In some cases, organizations have to be sued to even get this level of restitution. Take the University of Hawaii, for instance. They just announced the settlement of a class action lawsuit where the data of 96,000 students, faculty members, alumni and employees was “allegedly” breached. Their answer was to provide two years of credit monitoring and credit restoration services to those who request it. And they still had the audacity to deny liability in the settlement of five alleged data breaches.

 I liken this to a being the victim of a car accident, where you are the one who is hit. And I’m not talking about the unavoidable accidents that happen, but those where the other driver is clearly in the wrong and caused the accident. That is why we have insurance, right? Okay, so insurance will take care of the expense that you incur from the damage caused to your car and related injuries. But what about all of the time lost and aggravation caused as a result of the accident? Time away from work, away from family. Stress induced. See where I am going with this?

Here’s another example. How about wrongfully being accused of a traffic infraction and being issued a ticket. You decide to fight it and win your case. Your reward? You don’t have to pay for the fine for the ticket. But what about the time you had to spend going to court to plead you case? Does anyone reimburse you for that? No.

I am sure there are lots of other analogies that would fit. The point is, should those causing the strife and potential financial burden to others be held more accountable? I am all for the notion of making good and providing “break-even” restitution, but are the real victims actually breaking even? Clearly from my point of view, they are not. And why? Because of the negligent acts of someone that decided not to take proper precautions to avoid or mitigate the inherent risk to begin with.

 While a tragic situation, kudos to Carnival Cruise Lines (parent company of cruise ship operator Costa Crociere SpA) for attempting to provide fair restitution to all of the uninjured passengers (and those that did not suffer the loss of loved ones) who were part of the cruise ship disaster that took place off the coast of Italy on January 13. The cruise line offered to pay the uninjured passengers roughly $15,000 each to compensate them for lost baggage and the psychological trauma they suffered as a result of the accident. This is in addition to reimbursing passengers the full costs of their cruise and return travel expenses. While passengers are free to pursue legal action of their own if they aren’t satisfied with the offer, this is the type of gesture that I am taking about that ought to become the required norm to help offset the negative customer experience.

As we continue to see data breaches escalate at an alarming rate, I think it is time for organizations to step up and take on more accountability. While in no way should data breaches be equated to the tragic events of the cruise ship accident, companies dealing with all types of customer inconveniences or strife can learn a thing or two from Carnival’s actions. If they don’t do it voluntarily, then perhaps it is time for some legislation to be put in place that alleviates some of the burden thrust upon the helpless victims of these breaches and offers a more equitable level of restitution.