top | item 41184700

(no title)

hrunt | 1 year ago

Here's a fun thought experiment.

How much should National Public Data have to pay the people affected by this breach? The article says there are 2.9 billion people impacted. Let's take that at face value and assume that there are no duplicates in there. How much should each person receive? The article also says that USDoD tried to sell the data for only $3.5 million, so they value it at roughly $830/person.

Now, in class actions, not everyone takes the deal. Most people ignore it or never pay attention to the notice. Let's say, very generously, 10% of those affected take the deal. That would be 290 million people. If you gave each of them $100, that would be $29 billion dollars. Do you think National Public Data even has that kind of money? What if we gave everyone just your $3? That's $870 million. I don't think this data broker probably even has that much money.

Your only real hope of getting a sizable payout from this class is either a) NPD is sitting on a mountain of cash or b) a very small percentage of users get paid. Anything else and the money isn't there.

When people say that there need to be criminal, go-to-jail type repercussions for not securing data, this is why. People value their freedom much more than businesses value staying solvent.

Planet Money just did a great episode on how class action lawsuits actually work, from both sides[1].

[1] https://www.npr.org/transcripts/1197961271

discuss

cs702|1 year ago

> The article also says that USDoD tried to sell the data for only $3.5 million, so they value it at roughly $830/person.

When I divide 3,500,000 USD by 2,900,000,000 people, I get $0.0012/person. How do you get $830/person?

Cieric|1 year ago

I think it was suppose to be 830 persons / $1.

akudha|1 year ago

I don’t want their $3 or even $3000, if I am eligible for payout.

Instead, I’d like to force this company (and others similarly) to put all kinds of precautions in place. Also warn them that the next breach would result in severe penalties, assuming they could’ve prevented the breach in the first place.

bastard_op|1 year ago

I would rather put these clowns out of business, as they obviously can't be trusted in the first place, and are undeserving of a second chance after causing one of the largest leaks of PII in history. They should not have an option of paying a fine, putting in whatever "mitigating controls" a useless audit lets them skirt by with, and continuing business serving our data they never should have been allowed to posses in the first place.

Where do these scumbags even begin to get this information on every human's most intimate data, and what allows them to operate as a trusted source of protecting this information?

I also want to know who does their audits, and who regulates them?

It is unbelievable organizations can appoint themselves resellers of OUR information without any of us even knowing who they are or how many there are.

This is an industry the FTC should be involved in regulating heavily. Lina Khan always needs a new degenerate company to kick around, let's start with these guys.

akira2501|1 year ago

> Do you think National Public Data even has that kind of money?

If they don't have insurance for this precise problem then I think we should go after the owners personally. I'm sick of the shell game. Pierce the veil.

thephyber|1 year ago

A fun thought experiment: the company loses the suit, with both actual damages and punitive damages large enough to bankrupt the company. The company is sold for parts and other companies become a little more wary of repeating the same mistakes (hopefully better security around their core business value).

This suit opens the company to discovery in which several jurisdictions get access to their books and methods, opening them up to litigation and prosecution in places like the EU.

The $2.99 check is not the only benefit I get from a class-action lawsuit.

cozzyd|1 year ago

Only 450 million SSNs have been assigned (and only 1 billion are theoretically possible...)

jmclnx|1 year ago

No, they should sign you up for free Credit Monitoring for 7 years. All I would get is a letter stating something like this: "Your Credit is being monitored by firm xxxx, you will receive notices from them by Mail when items of concern are noticed" along with a real direct line phone number to call with questions.

I should not have to do anything nor give any information. Why 7 years, that is equal to the Statue of Limitations for saving US Tax Documents.

That alone will end these breaches almost over night.

gunapologist99|1 year ago

(It's a myth that there's an IRS 7 years 'statute of limitations'. It's far more nuanced than that: https://www.irs.gov/businesses/small-businesses-self-employe... )

However, it's still a reasonable time frame, and also, probably coincidentally, 7 years after the last update on any individual record is how long it will take to essentially reboot your U.S. credit report, so seven years sounds quite reasonable.

saagarjha|1 year ago

This is exactly why insurance was invented.