The real cost of a data breach

The 2013 holiday season wasn’t a happy one for Target Corp.

The chain discovered that its card readers had been infected with a malware program that lifted more than 40 million credit card numbers from the point of sale. Less than a month later, the company disclosed that the breach had also taken up to 70 million customer records, making it the second-largest data breach of all time.

In September 2014, Home Depot unwittingly shared more than 56 million card numbers with hackers from malware-infected point-of-sale systems in the U.S. and Canada. Systems at Neiman Marcus, Michaels craft stores, and other retailers have also been hacked since.

While breaches are becoming more common and more costly, companies don’t seem to be getting smarter about protecting information. This could cost them both money and consumer trust.

Security is still lax

Most retailers that suffered a data breach between Nov. 1, 2013 and Nov. 1, 2014 have beefed up their data systems, says security ratings firm BitSight Technologies, but average security effectiveness at the 300 major U.S. retailers surveyed decreased.

“While it’s encouraging that a majority of the breached retailers have improved their security effectiveness, there is more work to be done,” said Stephen Boyer, BitSight cofounder and CTO, in a release announcing the results.

Nine out of 10 data breaches occurring in the first half of 2014 could have been avoided, according to a new report from the nonprofit Online Trust Alliance (OTA).

“Businesses are overwhelmed with the increasing risks and threats, yet they all too often fail to adopt security basics," Craig Spiezle, OTA’s executive director and president, said in a release.

Taking basic precautions

Protecting an enterprise’s data is never foolproof, but merchants can take precautions against hacks. Security specialists advise retailers to use firewalls to screen incoming Internet traffic, implement strict password policies for employees, and screen and limit outbound Internet traffic to ensure that a piece of malware isn’t shipping confidential records off electronically.

“Too many merchants overlook how data is removed from their systems,” Bradley Cyprus, chief of Security and Compliance for Netsurion, a provider of cloud-based firewall solutions, told Retail Dive. “Malware can be installed on a system through numerous means. After infiltration, the malware tries to send data back to its creator over the Internet, and many network security devices are not properly configured to block this traffic.”

The high cost of low security

Virtual theft has cost retailers real dollars. Target Corp. spent $236 million after its systems were hacked, and likely lost out on an unknown amount of holiday sales. Home Depot will pay approximately $62 million this year to handle its hack by staffing call centers to handle customer inquiries and paying additional expenses.

Direct costs to retailers following a breach involve a variety of fees and penalties. A breach may require a forensic investigation, which “can exceed $250,000 for complicated or multilocation environments,” Cyprus says. Then, retailers need to replace credit cards and fund credit-monitoring services for affected clients. Retailers also may owe their banks money if they failed to comply with contractual security guidelines, or be required to reimburse fraudulent charges.

A May 2014 study from IBM and the Ponemon Institute estimates the cost of each lost or stolen record containing personal and payment information at $201 to the breached organization, whether it’s a retailer, a bank, or a health insurance company. Multiply that by millions, and it makes for an alarming line item on the company’s books.

Erosion of trust

The biggest effect of a breach is often on the brand’s reputation and trust, however—and a loss of trust often translates to a loss of revenue. An overwhelming majority (86.6%) of U.K. consumers polled last year by Semafone, a contact center specializing in card not present (CNP) transactions, said they are “not at all likely” or “not very likely” to patronize a business that has allowed confidential payment card data to be breached.

“Most companies experience opportunity costs associated with the breach incident, which results from diminished trust or confidence by present and future customers,” the IBM/Ponemon study says. “Research shows that the negative publicity associated with a data breach incident causes reputation effects that may result in abnormal turnover or churn rates, as well as a diminished rate for new-customer acquisitions.”

“Consumer trust has been tarnished by the recent Sony, Staples and Home Depot breaches, among others,” Spiezle said at OTA’s Privacy Day last month. “Considering over 90% of breaches in 2014 were avoidable, every employee—from the boardroom to the back room—has a responsibility to embrace privacy and security practices on behalf of consumers.”

Losing out on business

Consumers need time to heal from a breach, especially patrons of smaller retailers or franchises. “Many small merchants have noted a drop in business of between 10% to 20% for the 12-month period immediately following their data breach,” Cyprus says. “Compounding the problem, company resources (e.g. marketing and public relations) that normally would be engaged in driving business are often redirected to address the data breach."

“By the time all of the costs are tallied from a monetary, human resource and loyalty basis, it is difficult for many small businesses to keep their doors open,” he adds. “The ones that survive are only able to do so if they can weather the significant and ongoing loss a breach represents.”