The Cost of Data Breaches

Over the past year, a number of high-profile data breaches have illuminated how unprepared some of North America’s largest corporations are in the wake of increasing cyber threats. In 2014, several major corporations, including household names such as Neiman Marcus, Michaels, Target, Home Depot, JP Morgan Chase, and Sony Pictures, fell victim to malicious attacks that compromised consumer data, including millions of credit card numbers, customer contact information, and intellectual property. This year alone we have already seen two major health insurance providers, Premara Blue Cross and Anthem, suffer data breaches that collectively could have compromised 90 million social security numbers.

Although these numbers are frightening, there may not be enough current financial incentive for companies to invest in robust information security measures. Recent findings by Benjamin Dean, a fellow with the Columbia School of International and Public Affairs, showed that the “actual expenses from the recent and high-profile breaches at Sony, Target and Home Depot [amounted] to less than 1% of each company’s annual revenues. After reimbursement from insurance and minus tax deductions, the losses are even less.”

These numbers fail to fully capture the scope of costs associated with a data breach. For example, they do not include the dozens of class action lawsuits that usually follow. Home Depot is currently facing forty-four civil lawsuits related to its breach last year, which exposed 56 million debit and credit card numbers. These numbers also don’t reflect the cost of fraudulent charges that both retailers and credit card companies may be left liable for. In the case of Target, $1.4 to $2.2 billion in possible fraudulent purchases could ultimately be charged to the cards that were compromised. Consequently, the Payment Cards Industry (PCI) Council, which represents Visa, MasterCard, American Express, Discover, and JCB, could fine Target between $400 million and $1.1 billion.

The costs don’t end there. In the immediate days and weeks following a breach, normal operations are heavily disrupted as the company undergoes incident response and damage control. It took over two months before systems and operations at Sony Pictures returned to normal after the high-profile cyber attack last winter, during which the staff had to rely on old Blackberrys and manual paycheck machines to conduct business. Other long-term repercussions can include reputational damage, customer churn, higher insurance premiums, personnel changes, and fallout in critical business relationships. Both the Chief Information Officer and the Chief Executive Officer of Target resigned in the months following the company’s breach, shaking investor confidence and representing the loss of decades of institutional knowledge. Moreover, though large corporations may be able to absorb such costs, according to the National Cyber Security Alliance, 60 percent of small- and medium-sized businesses go out of business within six months of a data breach.

The costs of a serious data breach are difficult to fully assess—many of the repercussions may not show up on balance sheets and can continue to have an impact months, or even years after a breach occurs. Even more striking is the fact that the majority of data breaches last year were preventable. A robust security posture can help companies defend against attempted data breaches, minimize the response and recovery time when a breach ultimately does occur, and reduce the overall cost of cyber attacks to the company.