NEW YORK — A Columbia University review of financial statements at merchants like Sony, Target and Home Depot reveals that merchants barely notice the financial hit they take as the result of data breaches.
Benjamin Dean, a fellow for Internet governance and cybersecurity at Columbia University's School of International and Public Affairs studied 10-K reports from Sony, Target and Home Depot that were filed with the SEC. Dean's findings,
- While Target's 2013 data breach impacted 40 million credit and debit cards and 70 million personal records, reported gross expenses were $252 million. But that shrank to a net loss of just $104 million after insurance reimbursements and tax deductions — just 0.1% of Target's 2014 sales.
- Last year's Home Depot breach impacted 56 million credit and debit card numbers, along with exposing 53 million email addresses. Insurance reimbursed the retailer $28 million, bringing the Home Depot's costs down to $15 million — less than 0.01% of the chain's 2014 sales.
- The November 2014 hack of Sony's computer systems, which was originally estimated to have cost the company more than $100 million, was reported to cost $44 million. Dean found that estimates have dropped that figure to $15 million for investigation and remediation costs — losses that account for only 0.9%-2% of total projected sales for 2014.
"It therefore does not make economic sense for companies like Home Depot to make large investments in information security. As a result, they do not," wrote Dean. "The insurance pay-outs and tax deductible breach-related expenses weaken the incentives even more."
Credit union trade groups have spent the last year pressuring Congress to pass legislation making retailers more accountable for the losses suffered during a data breach, rather than consumers' financial institutions. CUNA has reported that the Home Depot breach alone cost CUs $60 million.
