The most prominent data breach in the news recently, as we’ve discussed, is the one at Target stores. It alone involved the theft of credit and debit card information of more than 40 million people, or more than 1/8 of the total population of the United States. The potential costs, and liability, involved are huge: according to a report by Ponemon Institute, released in May, 2013, the average cost of a breach per stolen record, globally, was $136; in the United States it was even higher, $188. Multiplied by 40 million records compromised in the Target breach, the costs could run into the billions of dollars.
Trying to mitigate, and contain, the damage once it has occurred is difficult. Target has reportedly offered its customers a year of free identity theft and credit monitoring protection. So have Neiman Marcus, which allegedly had records from approximately 1.1 million customers taken and 2,400 customer’s Visa and MasterCard accounts compromised, and Easton Bell Sports, Inc., which had approximately 6000 customers’ records stolen from its on-line store, according to published reports. Someone, though, will eventually have to pay for anything bought or paid for with the stolen credit card information.
The real cost of a data breach includes lost sales. Target’s sales, which were on the way up during the holiday season before the breach, slumped after the breach became public. The Target Board of Directors reportedly even has urged its president, Gregg Steinhofel, to engage in a public relations offensive, to reassure its customers and stem the damage.
The company that has the information stolen, however, is not the only one that has to pick up the pieces. Card issuers normally pay to replace their cards and it costs them approximately $10 per card to issue a new one. As a result of the Target breach, J.P. Morgan Chase reportedly has replaced approximately two million debit cards for its customers who could have had their information stolen.
Even companies that at first glance don’t appear to have any direct involvement in data breaches are potentially liable; they at least supply more money to cover the large expenses involved. Target reportedly already is considering bringing the companies that help it process credit and debit card transactions, its merchants’ services providers, into any class-action lawsuits customers might bring to recover their losses. The high litigation costs involved, however, should greatly diminish any potential benefit.
Perhaps it’s better to try to prevent data breaches before they occur, though it’s debatable whether this can, or will, be done.
The thefts can occur over extended periods of time, the malware that steals the information can be in place for months before the theft occurs, and the theft can be long over by the time anyone even knows what happened. In the Target breach, credit and debit card information reportedly was stolen between November 27, and December 15, 2013, while the information moved unencrypted through Target’s cash register systems. In the case of Neiman Marcus, the attack apparently occurred in stages. The malware was placed on the system first. Then, after a period of time, the information was stolen between July 16 and October 31, 2013. The theft apparently ended two months before Neiman Marcus learned the malware was on its system, on January 1, 2014.
The costs of trying to prevent data breaches can be quite large, too. Target once was one of the pioneers in the use of chip based credit cards. The cards, embedded with smart chips, turn a cardholder’s information into a unique code for each transaction and often require additional authentication, such as a PIN, which makes them harder to counterfeit and use successfully. In 2001 Target launched a program, in collaboration with Visa, to allow the use of chip cards in their stores. Target reportedly abandoned the project a few years later, in 2004, because of the high cost involved, the lack of marketing benefits, and the extra time it took to process each credit card transaction. At only a few seconds per transaction, the time added up and slowed lines down. Marketing officers within the company, including its current president, Gregg Steinhofel, reportedly were afraid of the negative impact the added time had on customer relations. So, instead of pursuing a technology which might have alleviated or at least substantially reduced the risk, Target left itself open to a breach with a potential cost in the billions of dollars.
Your business does not have to be as large as Target, or even run an on-line store like Easton-Bell Sports, to run the risk of having your customers’ financial information stolen. Most businesses deal with sensitive digital information every day. Each time your customers pay by credit or debit card, you obtain, keep, and transfer a record of your customers’ financial information. A simple swipe, or entering of a PIN code, increases your exposure. After all, that’s the same exact information taken in the Target breach, and look at the cost.
With the potential costs as large as they are, with the exposure rising consistently, with the benefits of using digital technology too large to ignore, just about every business should become aware of how best to protect themselves and their customers. If it can happen to such well-known, large companies, as Target and Neiman Marcus, with their vast resources, it can happen to the small and medium size firms who have the exposure but maybe not the resources to focus their attention on the problem. An ounce of prevention just might be better than a pound of cure. We’ll examine what can, and should be done, in subsequent posts.
Ray Grasing