title for Data Losses note
home | about | site use | resources | publications | timeline |::| blaw

overview

networks

tapes

laptops

sale

law

prevention

responses

studies

costs














related pages icon
related
Guides:

Security &
InfoCrime

Consumers
& Trust

ID Theft,
ID Fraud

















section heading icon     costs

This page considers the costs of large scale exposure of personal information.

It covers -

     introduction

What are the costs of data losses?

The preceding pages have highlighted six figure penalties in some jurisdictions and multi-million dollar budgets for corporate spending over several years after major data losses by public/private sector entities (eg for enquiry lines).

In practice, however, it is probably most useful to differentiate between -

  • personal costs (those specific to an individual whose data has been exposed)
  • corporate costs (specific to a particular government agency, business or institution)
  • community costs (wider burdens for the economy or society as a whole).

The shape of those costs varies from one jurisdiction to another (law in some nations, for example, places a greater burden on individuals whose data has gone AWOL while in the custody of a financial institution or other other organisation) and is likely to change over time.

     personal costs

The cost for individuals has usually been conceptualised in terms of identity theft, with potential for -

  • immediate financial loss, eg appropriation of credit cards and other accounts
  • long term financial loss, eg erosion of the individual's credit profile
  • expenditure of time and money rectifying appropriation of cards (eg getting new cards), dealing with financial institutions to repair a damaged credit profile and so forth.

Some estimates of aggregate costs are here.

It is important to emphasise that not all data losses are created by identity thieves or exploited by identity thieves. Some misplaced tapes presumably end up as landfill rather than in the hands of the Vladivostok mafiya. Data on some laptops, PDAs and memory sticks gets erased.

It is also important to recognise that the cost to individuals may be non-financial. Exposure of medical records, for example, may not result in misuse of a credit card but may cause feelings of shame and anxiety along with erosion of trust in a medical service provider (something that may deter a consumer from seeking treatment). It is a breach of privacy. Such exposure may, of course, result in financial costs if the information involves something that is stigmatised (eg psychiatric states and disorders such as HIV/AIDS).

Exposure of data from police and anti-corruption agencies, as noted here and here, can imperil the safety of individuals and their associates.

     corporate costs

Corporate costs take a variety of forms, some of which outweigh apparent savings through omission of encryption or other protection measures.

Those costs can include -

  • financial penalties imposed by regulators, such as the £0.98m fine by the UK Financial Services Authority for Nationwide's loss of a laptop and US$15m settlement by Choicepoint
  • other penalties imposed by regulators, including requirements that organisations demonstrate that they have addressed weaknesses in their handling of data and even withdrawal of authorisation to operate in particular markets
  • compensation payments (with exemplary damages in some instances) imposed by courts in class action lawsuits
  • increased insurance costs
  • erosion of an organisation's public profile, potentially including loss of market share and reduced capital value
  • loss of business when corporate clients consider that they cannot afford to be associated with an organisation that is perceived as an example of bad practice
  • establishment of call centres and undertaking mailouts to affected individuals
  • payment for credit monitoring services for affected individuals
  • assisting official investigators in determining what went wrong and way
  • legal and administrative expenses in defending litigation by regulators and consumers or dealing with queries by regulators, shareholders and the media

There have been no comprehensive studies of post-loss personnel changes but it appears that presiding over a major loss is not a good way to enhance an executive's career profile.

     community costs

Little of the writing about data losses considers broader community costs. That is in line with the failure of most commentators to identify botnets - and, more broadly, much spam - as the cost we all pay for global uptake of Microsoft's software.

Some community costs are clear. Pension funds and other investors suffer through reduced share prices when businesses lose data and customers.

In some instances that loss has imperilled the viability of organisations. The chief executive of CardSystems Solutions complained, following exposure of around 40 million credit card details after its security was breached by hackers, that his company was "facing imminent extinction" because of disclosure of the breach and industry's reaction to it. (One response would be that more effective business practice would have prevented the exposure and the danger of "extinction".)

In December 2007 CardSystems announced that it was headed towards liquidation (with assets of US$13.1 million against debt US$23.9 million debt, following sale of most of its assets in 2005).

Retail conglomerate TJX announced in May 2007 that its first-quarter profit dipped 1% as initial costs regarding data loss offset revenue growth. It foreshadowed further costs relating to investigation, enhanced computer security and systems, along with "technical, legal and other fees" that could total 2 or 3 cents per share in the second quarter. Beyond these costs, TJX reported it doesn't know how much the data breach will eventually cost, including "exposure to credit card companies and banks, various legal proceedings and other expenses".

In December 2007 TJX proposed to pay up to US$40.9 million to compensate banks that issued Visa payment cards potentially affected by the data loss if they agree not to sue it. Its profit in the preceding quarter was US$249.5 million on revenue of US$4.74 billion.

Other community costs are intangible. What is the cost of reduced trust and imposition of tighter regulation of businesses (and of institutions and government agencies)? Are identity theft insurance services essentially a cost that is ultimately borne by society, a cost that we could ideally do without? What are the costs for the community of litigation and policing action? What are the social costs of people not seeking medical treatment or other services because they do not trust the service provider to protect their information?

     how much money

What is the aggregate national or global cost of data losses? There is no definitive answer.

One reason is the absence of data, unsurprising given the reticence of some organisations to disclose management failures (which might elicit litigation, attention from regulators and calls for the removal of executives or even boards) and the lack of central collection points. Another reason is disagreement about terms and values, and about attribution of costs. Is a particular incident of identity theft related to corporate loss of data or the result of exposure of information by the individual?

A third reason is conflicts among data custodians and service providers about the extent of losses, costs of prevention and costs of resolution. Much data loss is ultimately attributable to institutional failures to identify risks and take appropriate precautions. Those precautions involve expenditure but that spending may be greatly outweighed by costs to the organisation if data loss occurs.

Some security service providers have hyped the frequency of data losses and their severity. Others, along with hardware and software vendors, have understated the likelihood of a loss occurring and the probably significance of that loss. Insurance providers have on occasion highlighted the likelihood of loss. Third parties, such as organisations entrusting information to data processors or couriers, appear to have frequently turned a blind eye to potential problems or relied on notions of 'industry practice' (ie our competitors are doing it too).

Security analysts on occasion have promoted 'off the shelf' models for calculation of potential costs if precautions are not taken. One US analyst for example identified 'hard costs' as encompassing -

  • initial personnel costs relating to loss, including staff time identifying that a loss has occurred, assessing its significance (what was on the device?), communicating the loss to inhouse legal personnel and external counsel
  • personnel costs regarding customer notification, eg composing and mailing correspondence, generating a notice for a corporate site
  • public and investor relations and call centre costs, including post-event advertising to protect the corporate brand
  • assisting regulators and law enforcement agencies in any criminal prosecutions
  • affected customer costs (credit tracking for affected customers)
  • legal damages, including fines and legal fees regarding a civil lawsuit
  • payment for customer credit monitoring reports
  • lost customer revenue






::

 


this site
the web

Google

version of December 2007
© Bruce Arnold
caslon.com.au | caslon analytics