How consumers foot the bill for data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://net-security.org/article.php?id=2138

Data breaches are almost always expensive and somebody always ends up
paying those expenses somewhere down the line. Either because they were
affected directly and have no one to pass the costs onto or because they
had the costs passed onto them by someone else.

This applies to breaches on corporate, government or individuals’ data.
However, some of the most expensive hacks that do occur regularly are
typically those affecting major companies. One excellent example, which
we’re about to break down for you, is the Target retail store breach of
December 2013. In this particular case, hackers stole 40 million credit
card records from the company’s databases. Let’s see what Target’s becoming
a target cost.

In December of 2013, the retail giant Target got hacked and saw 40 million
credit card records belonging to customers get stolen by thieves. The costs
of this were enormous and broke down in the following ways:

- Severance for the resigning CEO amounted to 15.9 million dollars alone.
- 1 billion dollars in regulatory fines for negligence to the government.
- A whopping 2.2 billion dollars in fraudulent credit card charges that had
to be refunded by the company for losses from those 40 million card
accounts.

To top things off nicely, the retail chain also suffered a further 440
million dollars in revenue losses during 2014 so far as a result of lowered
consumer confidence from the hacks. The case of target is just one single,
though very large, example of a corporate data breach and its costs. These
breaches happened on 617 other occasions in 2013 alone and will likely
increase even further in 2014.

The average costs of these 617 other breaches are hefty too and break down
as follows:

- $5 dollars per customer notification multiplied by millions of customers
in total.
- $30 per card cancellation and related monitoring of credit PER customer.
- $2000 per hour in forensic examination and data security analysis costs
(which amount to an average of hundreds of hours per breach)
- $500,000 per breach in legal expenses.
- 1 million dollars per breach in corporate settlement costs.
- Another 1 million dollars per breach in regulatory fines or related
expenses.

These costs total up to some $5,400,000 in expenses per breach and some of
them can be much more expensive than that. Also, there is the fact that for
each of these breaches, an average of 28,765 customers get affected at a
cost of $188 per customer in basic compensation. Yet even all of the above
doesn’t reflect all of the diffuse costs of data breaches in the economy!

How Customers pay, directly or indirectly

Via retail stores - Retailers who get hammered by the costs of a data
breach will pass this expense on to their customers either directly or
indirectly. They can take the direct route by simply charging more overall
for their services and products or, if they have data theft insurance, they
can have their expenses covered by the insurer who then passes those
payouts onto all of its clients and causes an across the board increase in
prices in a given industry.

Via credit card providers - Credit card providers and partner banks perform
the same trick on consumers as their retail counterparts. While they cover
the costs of refunding fraud charges that stem from data theft, they then
also pass those costs onto everyone who uses their services via higher fees
and interest rates, to the tune of as much as 7% per year.

Diffuse economic damage - Finally we come down to the more insidious and
diversified overall costs of data breaches. It is estimated that these
total up to $140 billion dollars in losses per year in the U.S alone and
include the costs of increased taxes, direct costs, fees, rates, productive
time losses and prices among other hidden expenses. The further effect of
these 140 billion in dollar losses is an estimated 500,000 jobs per year
that are lost by workers.

Identity Theft - Finally, if all the above weren’t enough, there is also
the massive nuisance of identity theft. This too costs time and money in
the following ways:

- The victimization of some 66% of affected customers whose data was stolen.
- Average costs of $6,900 and lost productive time on top of that.
- A loss of over a month of productive time for some 10% of victimized
individuals.

Furthermore, as we already explained, even if credit card companies or
retailers cover these expenses for their customers, they pass them down to
all customers in hidden raised fees or prices.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!