The costs of handling a data breach are becoming so onerous that they will push at least one business into bankruptcy soon, George Tubin, a senior analyst at TowerGroup Inc., predicts.
"I really believe that over the next 12 months we're going to see a company go bankrupt, or the beginnings of it," Mr. Tubin said in a presentation at a conference TowerGroup, a Needham, Mass., independent research firm owned by MasterCard Inc., hosted last week in Boston.
"We just have more and more data, and more opportunity for that data to be lost and stolen," he said in a later interview. "And we have an increasing market for this type of data."
Legislators are considering legislation on breaches, but a company will start its path to bankruptcy before any of the legislation takes effect, he said in the interview. "And the regulations that do come about aren't going to have enough teeth."
One reason merchants are at higher risk of bankruptcy is that the increased attention to breaches is attracting lawsuits and regulatory penalties, he said.
For example, several banks are suing TJX Cos. Inc. for a large breach it disclosed this year. The Framingham, Mass., company said in mid-May that it has already spent more than $25 million related to the breach, and the suit asks the retailer to cover the cost of reissuing affected cards.
ChoicePoint Inc. is still paying for a breach it disclosed in 2005. Gartner Inc. estimated last year that ChoicePoint lost $49.1 million because of the breach, and last week the Alpharetta, Ga., company said it is paying another $500,000 in a settlement with many states' attorneys general.
Last year computer hardware belonging to the Department of Veterans Affairs was stolen from an employee's home. The government spent $14 million just to notify the affected individuals, and initially it said it expected to pay an additional $160.5 million for credit-monitoring services for the victims. It decided against paying for those services when it recovered the hardware and an analysis showed the data likely had not been accessed.
Mr. Tubin said that TJX, ChoicePoint, and the government have the resources to cope with these costs. The companies at the highest risk of bankruptcy are much smaller, with annual revenue in the tens of millions or hundreds of millions, he said.
Generally, breaches cost about $200 to $300 a record, Mr. Tubin estimated. Investing in security to prevent them can cost as little as $20 an account for high volumes of data, but costs can reach $100 a record for low volumes, he said.
Other estimates, such as one made by Forrester Research Inc. of Cambridge, Mass., in April, put the cost of a breach at $90 to $305 a record. The Forrester estimate includes costs that the breached company may not yet be required to pay, such as issuing cards.
A study Ponemon Institute LLC of Tucson published last year found that the cost of an average data breach rose 30% from a year earlier, to $4.8 million, or $182 a record.
Bankers are trying to push more of those costs on to the merchant. The Massachusetts Bankers Association is one of the plaintiffs in the suit filed against TJX in April.
Bruce E. Spitzer, the trade group's director of communication, said consumers might benefit if Mr. Tubin's prediction came true. "Perhaps it would be a good thing for consumers … if other retail businesses witness another retailer having trouble."
The group is pushing to make bankruptcy a more realistic penalty for not safeguarding card information, Mr. Spitzer said. It has helped write a bill to make retailers liable for banks' costs in a breach.
"What we are trying to do, both on the legislative side and with this lawsuit, is change the paradigm," he said.
The ultimate goal is not to drive retailers into bankruptcy, Mr. Spitzer said, but it hopes the prospect of bankruptcy becomes realistic enough that retailers will invest in better safeguards.
Protecting data "is still more cost-effective than waiting for a breach to occur when you haven't protected your customers," he said.
