An event on the scale of theHMRC's lost data debaclewould have
cost a private company at least £4bn, according to insurance broker
Jardine Lloyd Thompson.
Using a US model the company's Cyber & IT Risks division has
calculated how much HMRC could have lost if it had been a private
company.
Jeremy Smith, head of Cyber & IT risks at
Jardine Lloyd
Thompson, said in the US legislation means companies have to
report data leaks and when this happens the company responsible
faces costs including offering customers bank account monitoring
services and having to notify customers.
He said credit monitoring, which costs on average £50 per year,
would probably have to be provided for three years which for 25
million customers would have cost £3.75bn.
It would also cost around £250m to change all the customers'
bank details, £7.5m just to notify customers by letter and a
further £200,000 to carry out forensics to find out what went wrong
would.
None of this includes costs that can be incurred if customers or
the banks affected sue, said Smith. "If the details do get into the
wrong hands and fraud is committed the costs can be enormous. The
banks usually pay this but if they can prove that the company has
been irresponsible they could sue," he added.
He said US legislation regarding the protection of customer data
means that companies are liable for massive costs in the event of
leaks. "We sell a lot of policies to cover this in the US and it is
starting to pick up in the UK."