Gonzalez Lawyers, Judges Debate Data Breach Costs

When two Boston-based federal judges sentence Albert Gonzalez Thursday (March 25) and Friday (March 26) for a rash of retail cyber-break-ins that he confessed to orchestrating, the exact sentence may be academic. The key legal argument is shaping up to be this question: "When a retailer is breached, what's the most reasonable way to determine loss?" The answer is proving to be as baffling—or contradictory--to the federal jurists as it is for most retail CIOs.

For you incarceration enthusiasts out there, with prosecution and defense recommendations running between 17 and 25 years, it's certainly likely the judges will stay within that range.

Related Story: Gonzalez Psych Report Tells Of 12-Year-Old Sex and Doing 5,000 Pushups

The question of what constitutes a loss in a data breach is complex. Is it limited to what is taken or to what the thief attempts to take? Should the loss include what was actually—and successfully—accessed, or should it assume that when a card with a $10,000 limit is taken, a $10,000 loss—regardless of what the thief did—should be recorded?

If class-action lawsuits are filed (and they will be filed), should the cost of lawyers and courthouse travel be included? What about payment for additional security? And perhaps a new POS system that includes that better security? (While we're at it, the server room could sure use a new coat of paint. And some better furniture. Definitely some better furniture.) What about the forensics probe? Or the 5-year maintenance deal the forensic team sells you while on site?

Some stretches could even be plausible. For example, what if the breach requires extensive hours from all IT personnel? That's legitimate. And what if that necessity pushes dozens of unrelated projects to the back burner? What if those delays slow down a product rollout, giving your rivals the time to get to market first and thereby stealing marketshare? Are those reduced sales—which are a direct result of a slower launch, which itself was caused by necessary breach cleanup—something that should be blamed on the thief? On the one hand, the answer may be "yes." But that answer in turn raises the question of where blame should stop.

The legal foundation for getting into the "what's really a loss?" issue involves federal sentencing guidelines. To up its sentence recommendation to the maximum—25 years, which the U.S. Attorney's Office characterized as "imprisonment for life"—the government had to argue that it could prove more than $400 million in losses. That dollar amount forced the issue of defining what a loss is, in the context of a data breach.

Gonzalez's attorney, for example, issued a subpoena to TJX demanding that the retailer prove it had really lost the $171.5 million it claimed. The March 12 subpoena demanded that TJX give the defense "any and all documents and records of any description, both hard-copy and electronic, including, but not limited to, invoices paid by it, on which TJX bases its claim."

TJX, understandably, is fighting the subpoena. Gonzalez "argues that TJX has overstated the loss it suffered from the intrusion or, alternatively, that certain of TJX's expenses that comprised part of its loss were discretionary or were the result of its own negligence," a TJX filing said. "TJX should not have to expend further time and costs to validate the figures it has presented to the court." TJX then made an interesting legal point.In those same federal sentencing guidelines, TJX's filing said, "in cases involving stolen credit or debit cards, loss is quantified as a minimum of $500 per stolen payment card." It added that its SEC filings "reported that data relating to at least 11.2 million unexpired payment cards were stolen during the intrusion. Defendant has not questioned this number. Applying the $500 per card minimum to these cards alone would yield a loss well above the $400 million threshold. The court could also apply the minimum $500 per card to the more than one million cards the Defendant stole from retailer DSW alone—thus ignoring both TJX's claimed loss and any calculation based on payment card data from TJX—and still be well above the $400 million threshold."

But the lawyers have many guidelines for sentencing. The law says the court should define "loss" as "the greatest of actual loss or intended loss." The government cited a recent appellate court decision as offering yet a third metric: "The First Circuit has held that, in the case of stolen credit cards, intended loss reasonably may be found to be the stolen payment cards' aggregate credit limit, since it is natural and probable to expect that purchasers of the stolen card numbers will charge as much as possible to them. It is also reasonable to hold a defendant accountable for the amount of loss as measured by the aggregate credit limit, even though the defendant's personal profit has been dramatically less."

Defense counselor Martin Weinberg disagreed. He pointed out that "the government's discussion omits the fact that tens of millions of the accounts had expired and would therefore no longer have had credit limits at all." He added that "the $500 per access device equation from which this figure is derived is completely arbitrary and lacking in any empirical validation" and that it was "irrational."

Weinberg pointed out that, with TJX, "of the 36 million card numbers obtained from TJX, at least 25 million--approximately 70 percent--were expired and therefore unusable." He also cited from a federal probation department pre-sentence report about the Dave & Buster's breach.

"Defendants obtained account information for approximately 110,630 debit and credit card accounts through the Dave & Buster's intrusion. However, it further states that defendants obtained account information for 5,132 accounts from a particular Dave & Buster's restaurant but used only 675--approximately 13 percent," Weinberg wrote. "Using the arbitrary $500 per card figure, the Dave & Buster's loss would be $55.315 million but, in reality, the losses to Dave & Buster's and affected financial institutions was, according to the [pre-sentence report], only approximately $1.32 million. Thus, the loss produced [in the government report] is 42 times the actual loss."

The argument Weinberg makes is, in essence, that the government can't take a large number of retail victims to get to a huge number of intercepted cards and then not bother proving that any of the specific claims holds up to close scrutiny.

"Despite having had access or potential access for several years to the foreign servers, to the affected corporations' own internal investigations, and to records from Visa, MasterCard, and American Express, as well as possession of [accomplices'] computers and of records which would distinguish between losses attributable to the corporate response to the intrusion and losses attributable to use of the stolen data, the government has never quantified the amount of stolen data which was actually used to unlawfully obtain money from ATM machines, retailers, banks, or other sources to which the data was linked. Critically, despite the government's possession of [accomplices'] computers, the government has adduced no evidence regarding the extent to which stolen data was ever used to an individual cardholder's detriment, as opposed to simply remaining on the server."The defense counsel also pointed to the government having "sought forfeiture of $1.65 million in proceeds, which presumably reflects the government's best estimate of the proceeds derived from the offense and which Gonzalez agreed to forfeit under the plea agreement."

Counsel further drilled into the particulars of the loss claims reported by other retailers, pointing out that the vast majority of dollars cited have little to do with its client's conduct. From a description of Heartland as victim: "Gonzalez's offense level, and concomitantly, his punishment, should not be inflated because Heartland decided to spend large sums of money on public relations or on implementing changes in its computer systems to make them more secure."

In a filing from Heartland, the victim claimed $111.3 million in losses, broken down into four areas: "(1) paying assessments imposed by MasterCard and Visa, (2) paying settlements reached with Visa and American Express, (3) settlement offers to certain card brands to settle their claims against Heartland, and (4) settlements deemed likely to be reached in the future with other claimants. The information provided is entirely too broad and undifferentiated to provide a basis for a reasoned estimation of the loss. It also should not include costs incurred by Heartland in defending itself against governmental investigations into its systems and practices, especially an investigation into whether Heartland officers and employees are guilty of insider trading."

In addition, the defense counsel challenged the government on its claims surrounding "intended loss," which is defined as "the loss the defendant reasonable expected to occur at the time he perpetrated" the breach. "By no stretch of the imagination," Weinberg wrote, "did Gonzalez expect that losses remotely approaching $400 million would result from his offenses."

The government also tried to add more dollars to the damages it's claiming for the breaches, suggesting that a stock slide of TJX was also a breach damage. "In the ten weeks following TJX's initial announcement of the intrusion and data theft, however, as investors adjusted to the news, TJX shareholders lost over a billion dollars in equity while the S&P 500 as a whole had fallen less than one percent," said the U.S. Attorney's Office in its sentence recommendation.

That argument was knocked down, but not by the defense counsel. TJX felt obliged to make a filing Wednesday (March 24) disagreeing with the government. Although "TJX's stock price did experience small movement in the months after TJX first announced the intrusion, there is no basis to conclude that such movement was caused by the intrusion or the absorption by the market of knowledge about the intrusion," said a TJX filing.

That's quite true. None of the major retailers have reported any revenue losses or negative consumer reaction at all to their breaches.

Attorneys in the case argued about differing psychiatric assessments, too, questioning whether drug use and computer addiction were factors the judge should consider when determining sentence. The government said the Gonzalez attacks were identity thefts, which the defense strongly disagrees with (they argue that Gonzalez had merely engaged in data theft, which seems more semantic than anything else; it doesn't impact the sentencing guidelines).

"If imposed, the sentences would be the longest ever imposed in an identity theft case and among the longest imposed for a financial crime, which is appropriate because Gonzalez was at the center of the largest and most costly series of identity thefts in the nation's history," wrote Assistant U.S. Attorney Stephen Heymann. "He knowingly victimized a group of people whose population exceeded that of many major cities and some states--certainly millions upon millions, perhaps tens of millions. He did so at the cost of hundreds of millions of dollars to businesses ranging from small banks and credit unions to Fortune 500 companies."

Defense filings urged the judges to differentiate between victims. Although Gonzalez was a central player in some attacks—such as against TJX—he had a much smaller role with others. "Gonzalez did not even know of the Heartland intrusion prior to its occurrence. His role in these offenses was limited to permitting 'Hacker 1' and 'Hacker 2' to have access to certain servers he controlled and, on one occasion, asking [another accused cyberthief] to modify malware which had been designed by 'Hacker 1' or 'Hacker 2,'" Weinberg wrote. "He had no other involvement in either the Heartland or Hannaford intrusions and only minor and insignificant further involvement with the 7-Eleven intrusion. He did not own or have any control over the Gigenet server used by 'Hacker 1' and 'Hacker 2' in the 7-Eleven offense, nor did he write any of the malware they used."