According to the folks over at Identity Theft Research Center (ITRC), US companies, governmental agencies, universities, and other non-profits last year reported almost 450 breaches and over 17 million personal records exposed. This was not nearly as bad as 2007, in which the number of stolen records reached a breathtaking 122 million. One metric that’s a bit harder to pin down is the direct cost of a data breach. These expenses typically don’t show up in breach stats. Public companies will eventually expense the intrusions–if it’s “material”–but you’ll have to do some digging into annual reports.
The total liability for breaches often goes beyond basis fraud costs–merchants and companies who were falsely billed — to include investigation fees, credit monitoring expenses, legal fees, court settlements, and civil fines. To get a sense of how costs may break down in a particular case, I looked at one of 2012’s largest breaches, involving a credit card processor. While the actual exploit is still a mystery, it is assumed that at least 1.5 million credit card numbers were exposed–although the true number is likely higher
In their 2012 annual report, the company had incurred about $94 million associated with the breach incident. A little over one-third or $35 million represented “total fraud losses, fines and other charges that will be imposed upon us”. The facts about this breach are a little sketchy. Experts believe that though this card processor publicly reported the incident in early 2012, the hackers may have entered their servers in June 2011. In other words, there was plenty of time for a lot of false credit card charges to pile up–that may explain the high fraud expenses.
There’s also a $60 million expense for “professional fees and other costs” associated with investigation and remediation, business partners payments, and credit monitoring. To understand that last category, check out my post on the national credit reporting agencies that maintain consumer credit information.
When a consumer suspects identify theft, the law says she can put a hold on her information so that creditors are alerted that an identity theft incident is in progress. With a large breach, a company will pay for a service that freezes millions of reports and monitors unusual activity—e.g., change of address or new accounts based on existing credit information. It’s another expense that needs to be considered in the intrusion cost equation.
What about legal costs and law suits? To get a feeling for how enormous this can be, I went back to look at one of the worst breaches of 2007. That year a major retailer reported the theft of 45 million customer records. It can be challenging to get an exact accounting of all legal expenses in corporate financial reports, and in this particular case the costs were expensed over several years.
But here’s what we do know. In their 2007 annual report, executives told investors they established a pre-tax reserve of almost $200 million to cover all their breach liabilities–with most of this amount dedicated to legal-related matters.
There are too many suits for me to cover in such a short post. But the retailer settled a class action suit with the credit card companies, who had to re-issue millions of new accounts to their customers. There were also several class-action suits pending with one based on the Fair and Accurate Credit Transaction Act (FACTA), which covers data protection and privacy of consumer credit information. At the time of the annual report, several attorneys general were investigating whether the retailer violated state consumer protection laws. And the FTC was involved and examining whether other federal laws were violated.
There are some well publicized numbers for the total cost of a breach —about $200 per record. This includes indirect costs, such as loss of customers, brand damage, loss of employee productivity, and other intangibles. When I looked at direct costs—legal, remediation, administrative, etc.—the amounts were more in line with the breach cost data I covered in this post, say, between $4 to $10 per record.
Even if you find the indirect costs a bit of stretch, the direct costs alone, especially for large companies, should make executives think more strategically about paying to protect their data. After all, a file with one million account numbers may end up costing $10 million—a lot of money to pay for poorly configured file permissions!