Almost two million dollars has been spent on mitigation following a major loss of data in Texas. Owing to the well-organized work done with victims of the data loss, officials at the state tax department have succeeded in saving almost $20 million of taxpayers' money.
Analytical center InfoWatch recalls that on March 31, 2011, a Texas Comptroller's office database, containing the personal information of 3.5 million residents, was revealed to be publicly accessible. The database contained names, addresses, social security numbers, and other information. The Comptroller's office now acknowledges that the database was publicly accessible for a year. Chief InfoWatch analyst Nikolay Fedotov estimated the approximate value of one record from the database to be $12-18. The value of the whole database on the black market is around $40 million.
However the Comptroller, Susan Combs, confirmed that no-one had become a victim of fraudsters as a result of the loss. During the two weeks following the discovery of the data on the Internet, the office wrote to inform those citizens whose data had been compromised of the loss. Postal services cost the office $1.2 million. According to Combs, the efficient mitigation work carried out following the loss significantly reduced the negative reaction of victims.
Around 100,000 people, the most principled and mistrustful, nevertheless decided to monitor their credit history. This is only 3% of the total number of victims. The relevant services cost these mistrustful Texans $600,492, or $6 per person. If all of the victims had expressed a wish to check their credit history, the cost of mitigating the consequences of this loss would have been close to $22 million.
Officials at the Comptroller's office also succeeded in avoiding a legal suit by the victims. Knowing how American justice works, the amount that the taxmen's negligence could have cost the state can only be guessed at.
Nikolay Fedotov, Chief InfoWatch analyst: “In the US, this type of approach has long been accepted. To protect personal data and guarantee its confidentiality, measures to mitigate the consequences of a loss are prepared. Two lines of defense are always better than one, particularly since it is impossible to completely prevent losses, and will continue to be so in the future. Personal data is protected, however if an incident still occurs, then within a few days, mechanisms to mitigate the consequences are mobilized. As a minimum, the subjects of the data are notified and financial monitoring is initiated for them, which means that criminals are unable to commit fraud with the stolen data. The creation of a similar mechanism would also be useful in Russia.”