A report surfaced last week that members of the Consumer Bankers Association have so far reissued more than 17.2 million debit and credit cards at a cost of $172M. The math is pretty simple: at about $10 per card, this element of the breach is already proving to cost much more than models had predicted.
There are many data breach calculators to help companies estimate their potential costs in the event of a data breach. The key elements are calculated on a per-record basis. For example, the cost of notifying customers is typically estimated at $1 per record. That assumes notification is done by physical mail and contemplates the basic costs of postage, printing and collating letters, etc. Many companies will avoid or reduce this cost by doing email notification for some or all of the records affected (assuming they have that information).
Credit monitoring insurance is estimated at $8-10 per record, but then is discounted to reflect the fact that only 10-20% of customers typically sign up for the service. Here again, companies can control costs by deciding to offer different levels of coverage (1 year vs 2 or 3), or by not offering credit monitoring when it is believed that the risk of fraud is low (such as when the breached data was encrypted).
The cost of reissuing credit cards is considered a third party liability, as the banks typically make a demand on the merchant to reimburse them for these costs. The challenge is that the merchant has no control over this expensive line item. Breach calculators currently estimate $2-$3 per card for reissuance, so the $10 figure cited by the CBA is staggering. It seems that the magnitude of the Target breach has identified a new potential problem – the capacity of card manufacturers to handle such a significant volume of replacement cards on short notice. There have been reports of processing delays, which may have led banks to use overnight delivery to meet customer demands, increasing postage costs.
Not all banks have yet chosen to reissue credit cards in this breach, so the average cost may end up trending lower. But this event suggests that breach calculators might need to adjust their metrics on this point, particularly for large-scale breaches.