A few days ago I was challenged over the effort and cost of protecting private data when, as has been observed, there often does not appear to be much in the way of actual impact to an organisation’s share price or customer base subsequent to a data breach.
Take TJX for instance, currently trading close to a 52 week high in spite of suffering one of the worst recorded breaches of customer credit card data. Or, take a look at ChoicePoint, who lost close to 170,000 private records back in 2005, whose stock has also risen and they are now the targets of a $4billion dollar acquisition by Reed Elsevier.
Now, I’m sure that the individual who challenged me on this issue wasn’t suggesting that we ride roughshod over the security of our customers data however, his point was that research such as that published by the Ponemon Institute which suggests a cost of $197 per record breached doesn’t reflect reality.
But let’s keep in mind a couple of important facts. Firstly, with regards to Choicepoint they’ve had to pay out on a $10million class action lawsuit, $10million in civil penalties, and a further $5million for consumer redress. Further, their credibility and reputation were worst affected. The same goes for TJX who, it is estimated, have had to expense more than $100million between regulators, customers, and internal expenses to make good on the data breach. A good source of reference for more information about these and other data breaches is this one here.
However, one could argue that it’s only money and that a large, cash-rich, business with a strong customer base and a popular product line can easily ride out some extraordinary expenses. That’s probably true but I’m not so sure for smaller businesses and anyway there is something about this whole arguement that makes me feel quite uncomfortable.
There’s an inference that financial, bottom line, impact is the only consideration that we need take into account. However, there are two important other aspects in the calculation: reputation and operational costs. The first is intangible and can refer to reputation amongst customers, in the press or the CEO amonst his peers and with regulators. The second can have an impact long beyond the original event: systems may need to be redesigned, new processes and policies put into place. Let’s not also forget that the auditors are going to be extra meticulous in the future as well.
More fundamentally still is the fact that when we capture and store data from customers, clients, members of the public or whoever, then we are obligated to have the right security in place to protect it regardless of the type of business that we operate .
I probably still wont convince the person who challenged me on this issue however, I encounter individuals on an almost daily basis who have a little knowledge and whose own actions – if left unchecked – would compromise security.
For more information about data breaches and their impact. I recommend the Breach Blog here.