Sony estimates the massive data breach affecting 100 million PlayStation Network, Qriocity, and Sony Online Entertainment customers have cost $171 million so far. However, lawsuits and regulatory fines could push that figure much higher.
The money has been spent on providing identity theft protection to affected customers, costs from welcome back programs that offer services for free, customer support costs, network security enhancement costs, legal and consulting costs, as well as lost revenue, Sony said.
Sony stressed that it has not received “any confirmed reports of customer identity theft issues, nor any confirmed misuse of credit cards” from the data breaches.
The company acknowledged that class action lawsuits have been filed against the company and some of its subsidiaries and regulatory inquiries have been initiated. These could significantly increase the costs from the data breaches.
If you get a letter from your financial institution or another company you do business with saying that your account was compromised due to a data breach, first call the company to ensure the letter is legitimate. Then, watch your back if it is. According to a study by Javelin Strategy and Research, if you receive one of these letters your chances of becoming an identity theft victim increase by 400% over persons who did not receive one.
Javelin’s survey of about 5,000 American consumers found that 19.5% of those who got a letter were later victimized, compared to 4.3% who were victimized but did not get such a letter. Robert Vamosi, an analyst at Javelin, told SCMagazineUS.com that it was not a fluke. The company has seen similar numbers in 2006 and 2007.
One of the reasons why this could be the case is because companies may only send letters to persons most severely impacted by data breaches, such as people whose ATM card personal identification numbers or Social Security numbers got out.
Consumers may soon have a stronger voice when it comes to data breaches. The Senate Judiciary Committee recently approved two bills: the Data Breach Notification Act and the Personal Data Privacy and Security Act, which, if they become law, will require businesses whose data has been compromised to inform all affected consumers of the breach – and in a timely fashion.
Currently, the majority of states have their own data breach laws in effect, but it can be difficult to enforce conflicting standards, especially when a data breach impacts residents of several different states. Also, there is no specific nationwide standard as to what type of breach event warrants consumer notification. For example, do you have to notify a person if his or her address is leaked, or only if it is something more serious, like a Social Security number?
As it stands right now, many companies do not report data breaches that occur, especially if they are smaller ones, such as an employee stealing a 20 patient list from a doctor’s office.