"Paying a couple million [dollars] in a fine to the Federal Trade Commission and another couple million to send notices out [to victims] is nothing," says Christine Varney, head of the Internet practice group at Washington, D.C. law firm Hogan & Hartson. "It's irrelevant. It's a cost of doing business."
Varney, who served as a Federal Trade Commissioner for five years in the 1990s, says she has defended or counseled many companies that have mistakenly disclosed personal data like Social Security numbers, bank account numbers and driver's license numbers. She spoke last month at the Identity Mashup conference at Harvard Law School in Cambridge, Mass. Varney does not believe that data breach notifications mean much to victims because the companies that hold the data do not bear financial responsibility for disclosing it. "Do I think the vast majority of Fortune 1,000 consumer-facing companies take it very seriously? Absolutely not. They are the people in my office after they get caught," Varney says.
Varney says the companies give "no thought to the value that they need to place on the security of data they hold."
Their mistakes certainly haven't made a dent in their earnings, at least according to financial statements filed by three public companies that have committed data breaches. Business is booming for shoe retailer DSW Inc., of Columbus, Ohio, which allowed hackers to gain access to credit card, debit card, and checking account information of more than 1.4 million customers in the March 2005. The company has since settled with the FTC, but in its quarterly report filed April 13, DSW had this to say: "Although difficult to quantify, since the announcement of the theft the company has not discerned any material negative effect on sales trends it believes is attributable to the theft." In fact, sales and profits are up. DSW's net income was $37.2 million on net sales of $1.1 billion for fiscal year 2005, which ended January 28, 2006. That compares with net income of $35.0 million on net sales of $961.1 million for the same period of the previous year. The 2005 results included a charge of $6.5 million for losses associated with the data theft.