In-Depth
The Cold, Hard Costs of Data Exposure
Broken lock: $25. Stolen laptop: $1,500. The cost of corporate data breach: Priceless. Learn how to deploy resources and leadership to most effectively deal with the aftermath of sensitive data exposure.
Again and again the stories surface; only the names seem to change. Company X reports a data breach after a laptop is stolen or a server is hacked, exposing Y numbers of customers to potential identity theft. The common response to these incidents includes notifying the affected customers (as required by various state laws) and (usually) offering a year’s free credit monitoring service.
What’s untold is how much the episode is costing Company X, over and above the humiliation outlay. “Our estimate is that the cost ranges from $25 to $150 per impacted record,” said Jon Oltsik, analyst at the Enterprise Strategy Group. More visible, national companies tend to spend more, he noted, as they have to notify people nationwide and stand more risk of losing their customers as a result of the incident. Local firms with minimal competition, such as a community hospital, can mount a less elaborate response, he said.
“We believe that a realistic figure for a mid-range breach of tens of thousands of accounts will be in the range of $90 to $100 per account,” agreed John Pescatore, analyst at Gartner. He extrapolated the sum from disclosures that ChoicePoint, a public data broker, filed with the Securities and Exchange Commission after a breach. In early 2005, ChoicePoint had to admit that as many as 163,000 consumer credit accounts had been exposed to identity fraud swindlers who had gained access to the service by posing as legitimate merchants.
Of the extrapolated $100 spent per account, an estimated $80 would consist of direct charges including legal expenses, communications with affected customers, call center setup, credit monitoring services, and account number administration. Pescatore then suggested adding another $10 for systems modifications and for the effort to pin down what was exposed. Then there might be another $10 for internal costs like security audits.
Credit monitoring for a consumer costs between $5 and $12 per month, so a year’s worth of monitoring would seem to exceed the estimated $100 cost per account. But Pescatore noted that the credit reporting agencies give large discounts for volume customers, and he estimated that the cost of a year’s credit monitoring for a mid-range breach to be $20 per account. Other cases cited by Pescatore included the Department of Veterans Affairs, which spent about $4 million notifying veterans and setting up a call center after a laptop with 26.5 million names temporarily disappeared.
Other direct expenses can include fines. While ChoicePoint’s customers were supposed to demonstrate a “permissible” reason for wanting consumer data, the Federal Trade Commission complained ChoicePoint had approved information requests that contained false information, used commercial mail drops as business addresses, and were sent from public fax machines. At least 800 cases of data fraud stemmed from the breach. As a result, the FTC fined ChoicePoint $15 million, of which $5 million was to be restitution.
Litigation, of course, is always a possibility, but Pescatore knew of no class action lawsuits that have been decided in data breach cases. Before the missing VA laptop was recovered, activist lawyers were demanding that the government pay each affected veteran $1,000. That would have cost the government $26.5 billion. A new aircraft carrier, by comparison, costs about $5 billion.
Those figures, meanwhile, only concern direct costs—money actually spent responding to the crisis. Indirect costs—damaged reputation, for instance—are another issue. Security consultant Kenneth Belva, head of Franklin Technologies United, has tried to assess the indirect costs of data breaches by examining the impact they had on the stock prices of breached firms. His report, titled "How It's Difficult to Ruin a Good Name: An Analysis of Reputational Risk," showed that in most cases the public announcement of a breach was followed by a tiny dip in the stock price, followed by a rebound shortly thereafter.
For instance, when Citigroup announced a problem its stock price fell only .02 percent, and the next day rose slightly more than that. Bank of America and Time Warner, among others, experienced similar patterns, he reported.
At least, that was the pattern in most cases. But then there was the previously mentioned ChoicePoint case. Its stock price fell 3.1 percent on the day of the announcement, and then continued falling, losing ten percent in five days. It’s investors lost $720 million, estimates Pescatore, making ChoicePoint the “poster child” of data breach crises.
And then there was the case of CardSystems Solutions, a credit card processing firm that was hacked in June 2005, exposing 40 million names. It was not a public company so its stock price was not an issue, but the outcome was even more blatant: Visa and American Express cancelled their processing contracts, and what was left of the company was sold.
Why did these companies suffer when others have shrugged off the effects of a data breach? The difference, Belva indicated, was that data security was supposed to be part of the business model at ChoicePoint and CardSystems. “The worst affected is one where information processing is the core competency of the company,” he noted. “In those cases an information security incident may really hurt you.”
Meanwhile, sending out notifications of a data breach does not automatically constitute commercial suicide, noted David Bender, head of the global privacy practice at the national law firm of White & Case. “A phone call plus a personal letter will give you a lot better results than a form letter or mass e-mail,” he cautioned. “And the content is important—if you are forthright and give the kind of details that a reasonable person would want, then you are far more likely to retain your customers.,” Bender said. “A breach is never good, but you can use your actions after the breach to build faith and positive public relations,” agreed Oltsik.
Of course, avoiding the problem altogether might be a better answer, by perhaps paying about $100 per machine for encryption. “It’s a no-brainer if you’re a CPA,” noted Pescatore. “But businesses take risks, and if the IT guys say the chances of being hit are maybe one in five, you might decide to wait and see—no one fixes the roof before it rains. But with all the incidents in the press, it’s gotten to the point where a CEO might decide to get protection.”
Courtesy of http:www.itcinstitute.com.