Fines for Lax Data Security Might Make Difference

Veterans' groups may have accidentally found the remedy for companies' lax protection of customer information. The cure: $1,000 for each person affected by a data breach.

The veterans' groups behind a massive class-action lawsuit against the U.S. Department of Veterans Affairs, which opened the door for the personal information of 26.5 million veterans to be stolen from an employee's home, are seeking damages of $1,000 for each person affected.

While the suit doesn't affect the corporate world, it's not a bad idea.

• Click here for's Cybersecurity Center, and here for's Identity Theft center.

The lawsuit charges that the VA "flagrantly disregarded the privacy rights of essentially every man or woman to have worn a United States military uniform."

• Click here to read about the fallout from the VA data breach.

To make amends, the plaintiffs want $1,000 in damages for each person listed in the database that was stolen. Add it up, and that's damages of $26.5 billion. Ouch.

Now, I'm not the lawsuit-lovin' type, but this case could provide a eureka moment. Disclosing breaches, as required by California law, only results in public scorn that's forgotten faster than the fifth-place finisher on "American Idol."

Meanwhile, regulators come up with wimpy fines. In January, the Federal Trade Commission levied $15 million in fines against ChoicePoint, an aggregator of consumer data whose lax procedures for disclosing personal information of 163,000 individuals to fraudsters.

The FTC had charged ChoicePoint with violating the Fair Credit Reporting Act, among other issues.

While $15 million is a big chunk of change, it only amounts to half of ChoicePoint's net income for the quarter ending March 31. Whoopie.

It's high time consumers got a little more blood out of companies that can't protect data. Enter the $1,000 benchmark, which we'll call the $1K rule. Under that benchmark, ChoicePoint should have been fined $163 million.

Clearly we're on to something with this $1K rule. With enough financial pain, maybe companies will even encrypt data on laptops (a novel thought), restrict access to personal data (now we're cookin') and even — gasp — not collect so many unnecessary data points in the first place (will never happen).

Under the $1K rule, the YMCA — which reported that a laptop containing the customer records of about 65,000 individuals, including debit card, credit card and Social Security data, was stolen — would face $65 million in pain (safe to say it wouldn't be too much fun to stay at the Y-M-C-A after that).

• Click here to read about the YMCA data theft. and auditors at Ernst & Young would have to pay $243 million after warning that the personal data of roughly 243,000 customers was exposed at the online travel site.

Are the fines Draconian? Yes. Effective? You bet. But with a little pain, companies will get their security act together. I'm starting to feel better already.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's Weblog.

Copyright © 2006 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.