Comment by hrunt
9 months ago
Here's a fun thought experiment.
How much should National Public Data have to pay the people affected by this breach? The article says there are 2.9 billion people impacted. Let's take that at face value and assume that there are no duplicates in there. How much should each person receive? The article also says that USDoD tried to sell the data for only $3.5 million, so they value it at roughly $830/person.
Now, in class actions, not everyone takes the deal. Most people ignore it or never pay attention to the notice. Let's say, very generously, 10% of those affected take the deal. That would be 290 million people. If you gave each of them $100, that would be $29 billion dollars. Do you think National Public Data even has that kind of money? What if we gave everyone just your $3? That's $870 million. I don't think this data broker probably even has that much money.
Your only real hope of getting a sizable payout from this class is either a) NPD is sitting on a mountain of cash or b) a very small percentage of users get paid. Anything else and the money isn't there.
When people say that there need to be criminal, go-to-jail type repercussions for not securing data, this is why. People value their freedom much more than businesses value staying solvent.
Planet Money just did a great episode on how class action lawsuits actually work, from both sides[1].
> The article also says that USDoD tried to sell the data for only $3.5 million, so they value it at roughly $830/person.
When I divide 3,500,000 USD by 2,900,000,000 people, I get $0.0012/person. How do you get $830/person?
I think it was suppose to be 830 persons / $1.
It was supposed to be 830 persons per dollar.
I don’t want their $3 or even $3000, if I am eligible for payout.
Instead, I’d like to force this company (and others similarly) to put all kinds of precautions in place. Also warn them that the next breach would result in severe penalties, assuming they could’ve prevented the breach in the first place.
I would rather put these clowns out of business, as they obviously can't be trusted in the first place, and are undeserving of a second chance after causing one of the largest leaks of PII in history. They should not have an option of paying a fine, putting in whatever "mitigating controls" a useless audit lets them skirt by with, and continuing business serving our data they never should have been allowed to posses in the first place.
Where do these scumbags even begin to get this information on every human's most intimate data, and what allows them to operate as a trusted source of protecting this information?
I also want to know who does their audits, and who regulates them?
It is unbelievable organizations can appoint themselves resellers of OUR information without any of us even knowing who they are or how many there are.
This is an industry the FTC should be involved in regulating heavily. Lina Khan always needs a new degenerate company to kick around, let's start with these guys.
There is a big effort from people like Reid Hoffman to get rid of Lina Khan. Hopefully it fails.
Yeah, I suppose just shutting them down is a better idea. In that case, we also need to make sure they don’t pop up with a different name and do the same thing all over again
> Do you think National Public Data even has that kind of money?
If they don't have insurance for this precise problem then I think we should go after the owners personally. I'm sick of the shell game. Pierce the veil.
A fun thought experiment: the company loses the suit, with both actual damages and punitive damages large enough to bankrupt the company. The company is sold for parts and other companies become a little more wary of repeating the same mistakes (hopefully better security around their core business value).
This suit opens the company to discovery in which several jurisdictions get access to their books and methods, opening them up to litigation and prosecution in places like the EU.
The $2.99 check is not the only benefit I get from a class-action lawsuit.
Only 450 million SSNs have been assigned (and only 1 billion are theoretically possible...)
No, they should sign you up for free Credit Monitoring for 7 years. All I would get is a letter stating something like this: "Your Credit is being monitored by firm xxxx, you will receive notices from them by Mail when items of concern are noticed" along with a real direct line phone number to call with questions.
I should not have to do anything nor give any information. Why 7 years, that is equal to the Statue of Limitations for saving US Tax Documents.
That alone will end these breaches almost over night.
(It's a myth that there's an IRS 7 years 'statute of limitations'. It's far more nuanced than that: https://www.irs.gov/businesses/small-businesses-self-employe... )
However, it's still a reasonable time frame, and also, probably coincidentally, 7 years after the last update on any individual record is how long it will take to essentially reboot your U.S. credit report, so seven years sounds quite reasonable.
The time frame should (of course) match how long the information will remain valid.
And SSNs are for life aren't they?
So, it's not like the information is going to expire.
This is exactly why insurance was invented.