The Cost of Data Breaches

CSOs know that information security breaches cost a lot of money. It takes work to investigate and fix what went wrong and to alert affected California citizens, as required by state’s breach disclosure.  But how much does it cost? The answer, like the answers to man questoins in the security field, depends on the circumstances; your mileage will vary  based on your industry, the scope of the problem and the public’s reaction.

Take two recent and high profile examples, ChoicePoint and CardSystems.  ChoicePoint, the data aggregator that admitted in February that it had information stolen by imposters posing as business customers, went on to post record revenues in its most recent quarter. The company’s financial report, released July 20, claims that its stock would have risen 44 cents per share for the quarter were it not for the “dilutive effect of specific expenses related to the fradulent data access previously disclosed.” Instead, the stock rose 40 cents per share. (With 90 million shares outstanding, those pennies add up.) Operating income for the quarter also took a pre-tax hit worth $6 million to cover legal expenses and other professional fees related to data breach episode.

The Wall Street Journal recently reported that security breaches create a drag on stock prices of about one percent right away. The ChoicePoint case appears more acute. While ChoicePoint stock, which hit a low in March of $36.35, has rebounded to $43, it is still 10 percent less than its 52-week high.

Academic researchers have sought to quantify the precise impact of security breaches. Looking at breaches occuring in a range of industries, researchers from the University of Maryland’s Robert H. Smith School of Business have found that the stock market punishes companies where a breach of confidential data occurred; other breaches don’t hurt stock prices as much. 

Which brings us to CardSystems Solutions. Atlanta-based CardSystems, a 115-employee credit card transactions processor, in May discovered a security breach had compromised as many as 40 million MasterCard, Visa, American Express and other credit card accounts. Since the breach came to light June 19, the heat has been on. Both Visa and American Express are slated to terminate their contracts on Oct. 31. That action, saysCardSystems’ president and CEO, John M. Perry, will spell the end of the company. Perry told a Congressional committee on July 21: “We are disappointed with these actions and, in light of our diligent efforts to remediate, hope that both Visa and American Express will agree to discuss their decision with us and reconsider, lest we be forced to permanently close our doors.”