Data breaches seem to be getting more common, and soon they could get more costly. At least one security analyst predicts that a breach will bankrupt a high-profile company.
Bank of America Corp., CardSystems Inc., ChoicePoint Inc., LexisNexis Group and TransUnion LLC represent just a handful of the most recent victims bitten by the breach bug. But the lessons these high-profile companies are learning about customer data security may not be motivating other firms to secure their systems.
Many companies have not spent enough money on protection, according to Jon Oltsik, senior analyst with Enterprise Strategy Group in Milford, Mass. "They're playing catch-up now, but some say they will just live with the risk," he said. "Some old-school types can't justify the return on their investment."
Oltsik believes this ROI-based resistance will mean a new chapter in data security -- Chapter 11. He believes that a data breach will drive a large public company into bankruptcy within the next couple of years. "It's only going to get worse," he warned.
As further proof, a recent Ponemon Institute survey of 9,000 people found that 12% of respondents had been notified of a data breach or loss by a company with which they did business. Of those affected, 20% said they immediately stopped doing business with the companies that couldn't keep their data secure.
CardSystems and ChoicePoint already have paid heavy prices for their breaches. Visa and American Express both dropped CardSystems after the Atlanta-based payment processor was hacked last summer, exposing more than 40 million credit card numbers.
"CardSystems' entire business viability is threatened," said Jonathan Penn, an analyst with Cambridge, Mass.-based Forrester Research Inc.
ChoicePoint took a $6 million charge in June after ID thieves duped the company into releasing personal data, exposing the information of as many as 162,000 Americans. The Alpharetta, Ga.-based data firm spent nearly $2 million contacting affected customers and offering them credit reports and monitoring services. ChoicePoint also saw its stock price fall after the breach and now faces a possible class action lawsuit.
The cost of disclosure, notification and the offer of credit monitoring services to affected users or customers after a breach can really add up. Penn said that the general rule is $15 per customer. "If it's a financial firm and credit cards are involved, that's an additional $35 for credit card replacement."
Chicago-based TransUnion suffered a breach in October when someone broke into a California sales office and stole a computer that might have contained credit information on approximately 3,600 customers. According to a statement, the company set up a toll-free hotline for affected consumers, let them request a free copy of their credit report from all three nationwide credit bureaus and gave them a free year of credit monitoring on all three credit reporting files. The company did not put a price tag on the damage control.
"There is often a misconception that a compromise means identity theft is right around the corner," said Tim Keller, TransUnion's director of fraud and identity management solutions. "Many times, there's no evidence that information has fallen into the wrong hands – the key is to communicate with customers and address their concerns."
Some 300,000 compromised passwords at LexisNexis were costly, but in the end might actually benefit the company.
While the Dayton, Ohio-based information company paid for a notification program and credit management consumer services, company officials did learn a valuable lesson.
"It brought home to us that customers needed to be more vigilant about their password protections," said Judi Schultz, the company's senior PR manager. The company now requires customers to change their passwords every 90 days.
Similarly, Bank of America, which lost backup tapes containing data on 1.2 million federal employees earlier this year and fell victim (along with several other banks) to dishonest insiders, has implemented a security program called SiteKey on its Web site. Intended to provide an additional authentication layer, customers are told not to enter their password unless they either see a specific image and message, or answer a series of confirmation questions.
Beyond financial and reputational consequences, data breaches undermine the public's confidence in online shopping and banking. Oltsik said even if a person's identity isn't stolen, he still pays in terms of privacy regulation, lost time, lost confidence and increased feelings of insecurity, all of which are proxies for money,. But he does believe that by and large, security in the digital age is coming around.
"We were so gaga over Internet connectivity over the years that we forgot we were making it easier to steal information," he said. "Now we're catching up."