A look at data breach penalties: Are they too lax?

As the names pile up — Equifax, Target, Home Depot, TJ Maxx, etc. — there's one thing all of these brands have in common. They all disclosed a major data security breach, and they all remain in business despite what happened.

In theory, rules such as the Payment Card Industry data security standard as well as national regulations should have a more adverse effect on these companies. At most, they pay a fine they can more than afford, and remove a few executives to appease bloodthirsty shareholders, but they are not even temporarily barred from accepting the very payment card data they failed to protect.

Consumers, despite their ire, are still willing to work with all of these brands — including Equifax, a company they arguably had no choice to work with in the first place. According to Auriemma Consulting Group, although there is increased consumer skepticism of credit bureaus in the wake of the Equifax breach, 82% of cardholders believe their financial accounts are secure and about 80% reporting confidence in their bank’s and/or credit card issuer’s ability to protect their financial information.

Short memories

The short-lived outrage over the Equifax breach may be a symptom of rapid-fire news cycles and a deluge of other news that crowds out data breaches, but there is also a sense that data breaches are effectively the cost of 21st-century living and that, at this point, these are just acts of nature akin to the occasional hurricane or flood — they will keep on happening, just usually to someone else.

While Equifax sucked all the air out of the room last year, it is worth noting that according to the Identity Theft Research Center, there were 1,578 other data breaches in 2017, exposing a total of 178.9 million data records. This builds on the 1,079 data breaches in 2016 and 780 in 2015. It is therefore of little surprise that consumers are no longer shocked by their data being made public given that there were an average of 4.3 data breaches per day last year. (Equifax did not respond to a request for comment for this story.)

The high level of consumer apathy may be something of a disincentive for organizations to properly invest in cybersecurity, but another aspect is that the cost of a breach really isn’t that much for large companies.

Much of this comes down to cost-benefit analysis. For example, the net expenses related to the Home Depot data breach of 2014 were $28 million, which ultimately represents less than 0.01% of Home Depot’s sales for that year. Similarly, Target incurred $105 million in cyber breach-related expenses, but this amount was only 0.1% of their 2014 sales. While the final tab for the Equifax breach is still being tallied, it’s estimated to cost insurers $125 million. According to Property Claim Services (PCS). That is not to say that these events were not financially punitive, but certainly the losses incurred from these breaches were a drop in the ocean of total revenue.

Some have had more reputational breaches, such as Ashley Madison and Sony; the former exposed would-be adulterers and the latter exposed sensitive internal emails that got considerable media exposure due to the celebrity gossip content. The cost for Ashley Madison was a $11.2 million class action settlement, while direct costs from the Sony Pictures breach totaled $35 million. With operating profits of $460 million in 2015, again, the cost of the breach was a mere dent for Sony that was easily buffed out. Both of these companies have weathered the storm and continue to operate.

Not like the old days ...

To find data breaches that were actually devastating to the company that suffered the exposure, one needs to go back over a decade.

The CardSystems data breach of June 2005 was — by today’s standards — a fairly vanilla example of a data breach, with 40 million cards exposed. But the penalty was much bigger: In the wake of this incident, both Visa and American Express dropped CardSystems as a credit card processing company and a federal investigation launched. In a tailspin, CardSystems was acquired by the biometric payments company PayByTouch later that year. PayByTouch, in turn, went out of business in 2008.

Shortly after the demise of CardSystems and PayByTouch, another significant processor data breach occurred.

In January 2009, Heartland Payment Systems announced a breach of over 100 million card credentials. In contrast to the CardSystems data breach, Heartland remained a processor for all the major card networks after reaching a number of settlements with the card brands and re-evaluating its methods for demonstrating PCI compliance. Heartland even worked to emulate Tylenol, using its experience as a means to promote the use of end-to-end encryption and strengthen the overall payments system.

In short, between 2005 and 2009 there was an attitudinal shift among the card networks, which chose to fine companies rather than cut them off entirely.

Size matters

Where data breaches hurt are the numerous attacks that occur below the media radar. Research from Netdiligence highlights the disproportionate number of breaches occurring for small businesses compared to larger organizations — nearly half of all data breaches happened to businesses with less than $50 million in annual revenue. By contrast, companies with revenue of more than $10 billion accounted for just 3.8% of breaches. Further, the average cost of a breach to a company of less that $50 million in revenues is approximately $125,000 —- 0.25% of revenue. For a company of $10 billion or more, the average cost is around $5.8 million, just 0.06% of revenues.

Further, with a smaller customer base for small companies, customer churn is far more pronounced. Larger companies benefit from strength in numbers, so an equivalent loss of customers would be far less damaging. With more limited resources both for security implementation and post breach remediation, small businesses are sitting ducks for would-be attackers.

As further evidence of the combination of breach fatigue and the collective apathy for regulation and change, in recent weeks, Equifax announced that it will notify a further 2.4 million consumers that their data has been compromised. This failed to make the same headlines that the company made last year; the news cycle had already moved on.