News

HOME

SITE MAP

Other

MSPAlliance Offers Insurance Specifically Designed For MSPs

Loss of Customer Data at BNY Mellon Much Bigger Than First Thought

The Hunt for Software Pirates

Software Audits: Not a Case of if, But When

Software Raids: Surviving an Audit

Security Breach Notification Legislation Will Boost MSPs

MSPs Gamble with the Law

Tame Your SLAs

Q&A: BSA’s Informant Fee Hike is a Money-Maker, says Attorney

Tying the Knot

Data breaches getting costly

Wake-up call to the C-suite: Lawsuits and regulators will put stiffer price tag on corporate lapses

By Matthew Scott

May 28, 2007 (Financial Week) -- Corporate executives don't seem to be sweating over the increasing size, severity and frequency of data breaches, but they may be ignoring the problem at their—and their companies’—peril.

Experts are warning that lawsuits and increased pressure from federal and state regulators will soon make data breaches a problem too expensive to ignore. With the size of the breaches seemingly getting larger every year, executives should know how to protect their systems better by now.

For example, Columbus, Ohio-based shoe discounter DSW estimated a loss of $6.5 million to $9.5 million when 1.4 million credit and debit card records and 96,000 checking account records were hacked from its computer systems in 2004 and 2005. And earlier this month, Alcatel-Lucent discovered that a computer disk containing the names, addresses, social security numbers, dates of birth and salaries for thousands of Lucent employees and retirees and their dependents was lost or stolen, placing all those individuals at risk of identity theft.

TJX Cos., which reported a record 46.5 million customer credit and debit card numbers stolen in January, tops them all. The financial toll on the company from this mishap could reach into the hundreds of millions of dollars—and may turn up the level of overall corporate concern about this problem.

TJX, parent company of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores, is facing a $10 million lawsuit from the financial institutions that issued the millions of compromised credit and debit cards associated with the data breach. Last month, the Massachusetts Bankers Association, along with the Connecticut Bankers Association and the Maine Association of Community Banks, filed a class-action suit to pay for the cost of reissuing the cards, which can run as much as $25 each, and to return funds missing due to fraudulent activity to customers. The three organizations represent nearly 300 banks.

The banking associations’ lawsuit is just the beginning of a flood of litigation against TJX that includes lawsuits filed on behalf of customers in at least eight states in the U.S., six Canadian provinces and Puerto Rico. The retailer also faces hearings and investigations from the Federal Trade Commission and other regulatory agencies that could levy fines on TJX for violating consumer privacy statutes.

In fact, the TJX breach was a catalyst to get the U.S. Senate to approve the Personal Data Privacy and Security Act of 2007, which holds companies more accountable for safeguarding consumers’ personal information. Under the bill, companies would have to install encryption software and notify customers of breaches “in a timely manner” or face fines, though the size of the fines wasn’t specified.

Robert Scott, managing partner of Scott & Scott, a law and technology services firm, said that in addition to paying any judgments from class-action lawsuits related to data breaches, companies would likely be on the hook for payments of fines to the Federal Trade Commission and other regulators that could range from between $10 million and $20 million in the worst cases. On top of that, those companies could also face 20 years of federal credit monitoring.

Since the breach at TJX is the largest ever reported, any regulatory fines or judgments in the class-action suits could be large as well. If successful, the cost of the class-action suits may ultimately depend on how negligent the courts find TJX to have been. But some estimates run as high as $500 million.

Mr. Scott said companies underestimate the costs they will incur when they have a data breach, such as the millions of dollars in fees for lawyers, consultants and public relations firms. The cost of notifying affected customers is typically $1 to $2 per person, and offering free credit monitoring services to show good will costs another $100 per person, according to Mr. Scott. Others estimate the bill for such damage to average $185 per victim.

But Mr. Scott said the largest cost is damage to a company’s brand.

A study released this month by the Ponemon Institute, which conducts privacy and information management research, reported that about 60% of the customers of companies that experience a data breach leave or think about leaving that company. “If 60% of your customers are leaving or thinking about leaving, that would lead to a very significant [negative] financial impact,” Mr. Scott said.

Companies have been ignoring the financial costs of breaches because the effects haven’t been catastrophic to them.

“There’s really been very negligible monetary cost to the individual,” said Larry Ponemon, chairman of Pon-emon. “Because of that, even though the frequency of breach is on the rise, it’s a possibility that companies are not going to take it seriously because they don’t really believe that there is harm to [their customers].” That’s because customers’ losses are ultimately covered by the banks.

Mr. Ponemon said that, according to his study, most breaches are caused by portable devices like laptops and flash drives being lost or stolen, involve 8,000 to 10,000 individual records and cost companies between $2 million to $3 million in direct and indirect costs.

But that range may be low if TJX serves as a benchmark. TJX has already taken a pretax charge of $5 million for the fourth quarter of 2007 for costs incurred from the breach, and TJX officials won’t speculate about how much more they may have to shell out.

During a conference call this month with analysts to discuss second-quarter earnings, TJX president and CEO Carol Meyrowitz said her focus was on “customer execution of our business and our growth opportunities.” She can afford to focus on growth because even with the computer gaffe, sales were up 6% over the same quarter last year. The breach was first publicized in January.

But even if customers don’t seem to be holding TJX accountable, the message about data security has gotten through. “We have done a monumental amount of work in a short period of time in order to make our computer system stronger,” Ms. Meyrowitz said.

The question is, have other corporate executives done the same thing? FW

Recent Blogs

Washington Supreme Court Affirms Lower Court’s Rejection of AT&T Arbitration Clause

Don’t Forget the Boilerplate

Minimum Advertised Pricing (MAP) for E-Commerce

In Copyright Litigation, Availability of Attorney’s Fees Awards Can Cut Both Ways

Upcoming Events

Attorney Advertising Notice