Real cost of a data breach

A few days ago I was challenged over the effort and cost of protecting private data when, as has been observed, there often does not appear to be much in the way of actual impact to an organisation’s share price or customer base subsequent to a data breach.

Take TJX for instance, currently trading close to a 52 week high in spite of suffering one of the worst recorded breaches of customer credit card data. Or, take a look at ChoicePoint, who lost close to 170,000 private records back in 2005, whose stock has also risen and they are now the targets of a $4billion dollar acquisition by Reed Elsevier.

Now, I’m sure that the individual who challenged me on this issue wasn’t suggesting that we ride roughshod over the security of our customers data however, his point was that research such as that published by the Ponemon Institute which suggests a cost of $197 per record breached doesn’t reflect reality.

But let’s keep in mind a couple of important facts. Firstly, with regards to Choicepoint they’ve had to pay out on a $10million class action lawsuit, $10million in civil penalties, and a further $5million for consumer redress. Further, their credibility and reputation were worst affected. The same goes for TJX who, it is estimated, have had to expense more than $100million between regulators, customers, and internal expenses to make good on the data breach. A good source of reference for more information about these and other data breaches is this one here.

However, one could argue that it’s only money and that a large, cash-rich, business with a strong customer base and a popular product line can easily ride out some extraordinary expenses. That’s probably true but I’m not so sure for smaller businesses and anyway there is something about this whole arguement that makes me feel quite uncomfortable.

There’s an inference that financial, bottom line, impact is the only consideration that we need take into account. However, there are two important other aspects in the calculation: reputation and operational costs. The first is intangible and can refer to reputation amongst customers, in the press or the CEO amonst his peers and with regulators. The second can have an impact long beyond the original event: systems may need to be redesigned, new processes and policies put into place. Let’s not also forget that the auditors are going to be extra meticulous in the future as well.

More fundamentally still is the fact that when we capture and store data from customers, clients, members of the public or whoever, then we are obligated to have the right security in place to protect it regardless of the type of business that we operate .

I probably still wont convince the person who challenged me on this issue however, I encounter individuals on an almost daily basis who have a little knowledge and whose own actions – if left unchecked – would compromise security.

For more information about data breaches and their impact. I recommend the Breach Blog here.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I believe that there's a much more fundamental issue that's missing from the wider discussion. You've got to ask yourself why business spends so much money on the process and technical infrastructures to gather, manage, use and store information in the first place. Given that information infrastructures are there to support organisational decision making, be it strategic or tactical external market forecasting, or operational internal resource planning and deployment, the point is that business needs to trust the information that decisions, big or small, are being based on. Surely, the relatively small amount of corporate revenue (especially when compared with the much greater amounts spent on information infrastructure), is a small price to pay in order to safeguard an organisation's decision making capability? I mean, imagine the situation of an organisation facing a critical business decision and it didn't have access to the right information when it absolutely mattered, or that it couldn't trust the source or processed information, or that competitors' had already had sight of corporate thinking.