Though they differ on the reasons, analysts agree that companies in general are spending more to deal with payment card data breaches, and a new study says the increase is more pronounced at financial firms.
The study, released Wednesday by Ponemon Institute LLC, found that the overall average cost to handle a breach was $197 per compromised record, but for financial institutions the average was $239 per record.
The Tucson company surveyed 35 companies that had experienced a data breach this year. Across all industries, the costs attributed to data breaches rose by 8% per record from 2006, in large part because companies have been able to link some customer defections to breaches.
John Dasher, the director of product management for the encryption software vendor PGP Corp., said that recovering from breaches is particularly costly for financial companies.
"The costs continue to escalate for financial services firms because the expectations of the public on them are higher," Mr. Dasher said.
PGP sponsored the study with Vontu Inc., a vendor of data-loss-prevention products.
To be sure, Mr. Dasher said, plenty of customers will stick with their bank after a breach. "I'm not saying people are flipping in floods, but it's measurable."
But given consumers' general reluctance to move their accounts to new banks, "the fact that this is changing at all, I think, is earth-shattering," he said. Before breaches became so widely disclosed, most customers would change banks only if they moved to a different state or "had an absolutely horrendous customer experience," he said.
Another reason that banks have higher costs is that many are using aging equipment, Mr. Dasher said. The older the banking company, the older the technology and the harder it is to adapt that technology as a preventative measure or to help avoid further breaches once one occurs.
Banks "got used to doing insecure transactions over secure networks," Mr. Dasher said. "All that has changed. They now have to do secure transactions over fundamentally insecure networks."
Avivah Litan, a vice president and research director at Gartner Inc., a market research company in Stamford, Conn., agreed that the costs for breaches are going up, but she gave different reasons.
For example, breaches do not always lead to customer losses, Ms. Litan said. For example, the largest breach in recent history, at the retailiing company TJX Cos. Inc., shows the opposite. "If you look at the TJX sales numbers, they went up" after the incident, she said.
In another high-profile breach, disclosed by ChoicePoint Inc. in 2005, most of the customers the data provider lost were by its own choice.
"They did lose business because they got rid of clients that were risky," Ms. Litan said.
"The regulation that banks have to comply with" also could explain why breaches are more costly for banks than for merchants, she said.
Ms. Litan also noted that changing employees' business processes because of new or upgraded systems is often more expensive than the technology itself.
George Tubin, a senior analyst at TowerGroup Inc., a Needham, Mass., independent research firm owned by MasterCard Inc., said customers are loath to switch banks. It might be easy to switch department stores, but "it's different if a company holds your mortgage."
Customers have higher standards for banks and are becoming "less and less" tolerant of security lapses, Mr. Tubin said. They will leave if a breach stems from "extreme negligence."
As a result, he said, banks' post-breach marketing spending is up.
"Especially with financial services, I think some of the drivers of the cost are general public perception … and the rising concern and how upset people are getting," Mr. Tubin said. "They're hearing more and more, so the institution has to do a lot more when it happens, from a PR standpoint."
This also means spending money to address the root cause of the breach, he said. If a company lost a laptop, it has to show that it is now encrypting its laptops, for example.
"Customers just don't want to hear, 'It happened,' " he said. "When stuff goes wrong, you fix the problem, then you fix the cause."
