Is data loss compensation unfair?

A well known Information Security researcher who is best known for his recent work in collating and archiving reports of the often-inextricably linked forerunner to identity theft, data loss, has recently spoken out against the seemingly poor standard of compensation generally offered by the affected companies to their consumers.

Attrition.org is one of the best known clearing houses for collating reports of data loss and theft, and earlier this week, Jericho, the co-founder of the site released a Jericho's rant decrying the standard of compensation that is often offered in cases of data loss.

In the discussion that followed the publication of the rant, commenters have suggested that the reason it is offered as such is that it is the simplest and cheapest measure that can be taken after the event - making it a purely reactive measure. It may have been a part of the business's plan to help their affected customers mitigate the increased risk of identity theft, but it may just be a reactive measure to try and save some dignity from the data loss.

There isn't really much else that can be done once the loss has taken place. With breach disclosure laws having no real effect on identity theft, perhaps it's time the system was overhauled (again).

The biggest problem is that credit monitoring doesn't really work. It works fine for the sorts of Identity theft that will query the consumer's credit reports, but there are plenty of means to victimise an individual without resorting to activity that will be seen on a credit report and there are methods by which criminals can still access credit without actually having a query show up on the records - something which does not help the victim in any case.

The fairest argument from the point of view of the customer (of which we are all one at some stage or another) is that if a company or government agency can't handle identity data in a competent manner, then they should not be allowed to handle such data in the future. If this means that companies are sent out of business, then it is a cost of doing business that needs to be understood. Engineering, Medicine, and Law are just some of the professions where professional misconduct can see someone prevented from working in that field in the future.

There are some people who are beginning to realise the fact that, while the data loss laws might be lacking (and the rapid pace of technological advancement guarantees that), the overall risk to a consumer means that companies are liable under a range of existing consumer protection laws. It might be another 12-24 months before a significant court case demonstrates this but it appears to be something that will shape the future of handling data loss and theft cases.