Insights

Target Breach Costs are Already Blowing up Data Breach Calculators

February 19, 2014

Cyber Liability

A report surfaced last week that members of the Consumer Bankers Association have so far reissued more than 17.2 million debit and credit cards at a cost of $172M.  The math is pretty simple:  at about $10 per card, this element of the breach is already proving to cost much more than models had predicted.

There are many data breach calculators to help companies estimate their potential costs in the event of a data breach.  The key elements are calculated on a  per-record basis.  For example, the cost of notifying customers is typically estimated at $1 per record.  That assumes notification is done by physical mail and contemplates the basic costs of postage, printing and collating letters, etc.  Many companies will avoid or reduce this cost by doing email notification for some or all of the records affected (assuming they have that information).

Credit monitoring insurance is estimated at $8-10 per record, but then is discounted to reflect the fact that only 10-20% of customers typically sign up for the service.  Here again, companies can control costs by deciding to offer different levels of coverage (1 year vs 2 or 3), or by not offering credit monitoring when it is believed that the risk of fraud is low (such as when the breached data was encrypted).

The cost of reissuing credit cards is considered a third party liability, as the banks typically make a demand on the merchant to reimburse them for these costs.  The challenge is that the merchant has no control over this expensive line item.  Breach calculators currently estimate $2-$3 per card for reissuance, so the $10 figure cited by the CBA is staggering.  It seems that the magnitude of the Target breach has identified a new potential problem – the capacity of card manufacturers to handle such a significant volume of replacement cards on short notice.  There have been reports of processing delays, which may have led banks to use overnight delivery to meet customer demands, increasing postage costs.

Not all banks have yet chosen to reissue credit cards in this breach, so the average cost may end up trending lower.  But this event suggests that breach calculators might need to adjust their metrics on this point, particularly for large-scale breaches.

See all articles by Lauri Floresca

All views expressed in this article are the author’s own and do not necessarily represent the position of Woodruff-Sawyer & Co.

Lauri Floresca

Senior Vice President, Cyber Liability

Editor, Cyber Liability

Lauri is a widely respected expert and frequent speaker on the issues of directors & officers liability and cyber liability. She has developed her expertise surrounding complex privacy breach claims and innovative Cyber Liability solutions, and has extensive experience placing D&O programs for public companies of all sizes, including NASDAQ 100 and Fortune 500 companies.

415.402.6523

LinkedIn

Lauri Floresca

Senior Vice President, Cyber Liability

Editor, Cyber Liability

Lauri is a widely respected expert and frequent speaker on the issues of directors & officers liability and cyber liability. She has developed her expertise surrounding complex privacy breach claims and innovative Cyber Liability solutions, and has extensive experience placing D&O programs for public companies of all sizes, including NASDAQ 100 and Fortune 500 companies.

415.402.6523

LinkedIn