SAN FRANCISCO -- Corporate liability for compromised confidential data could be enormous, but the extent remains to be seen, according to legal experts at RSA Conference 2007.

RSA '07 HQ: Click here for complete coverage

Criminals who steal data such as customer credit card numbers, Social Security numbers and account numbers hang onto the data for more than a year before trying to use it or sell it, says Jon Stanley, whose Cape Elizabeth, Maine, firm specializes in database breach cases.

“It’s the vintage-wine syndrome,” he says. “You wait until it ages.”

By waiting until the heat is off, the data is more valuable. Typically, heightened credit monitoring goes away after a year, he says, at which time those with the compromised data can use it with less fear of getting caught.

That is also when people whose data has been stolen will start suffering real damages, which is the legal test for whether they can sue to get their money back, says Ben Wilson, an attorney who co-chairs an American Bar Association committee on information security.

He says he’s seen Web transactions where people who have compromised data are selling it online to those who wish to exploit it. The bidding is done in a proprietary currency system and is intense. “They’ll offer information for sale and say this offer is good for the next one or two minutes,” Wilson says.

Whether those whose data is compromised can recover damages is still unclear, partly because not enough cases have been heard yet and partly because the laws governing these cases differ state to state and 15 states still have no laws about data breaches, he says.

Differences in state law include how much security businesses must have in place to protect the data, whether they have to notify their customers whose data is compromised, and whether the company takes steps to warn people whose data may have been compromised.

A company’s liability may depend on whether it meets the legal requirements for doing business in a state. That definition varies from state to state.

Companies also could face liability if Federal Trade Commission regulators investigate, find fault and issue fines, Wilson says.

In the meantime, reputation is still the top danger of data breaches. When a business allows its data to be lost or stolen, it suffers potential loss of customers and in some cases even a drop in stock value, Wilson says.