The Small Penalty For Big Data Breaches

Confidential customer information is precious but many large public companies that have experienced data breaches in recent months pay only a small price in fines and the impact on their financial performance for failing to protect this data.

"Paying a couple million [dollars] in a fine to the Federal Trade Commission and another couple million to send notices out [to victims] is nothing," says Christine Varney, head of the Internet practice group at Washington, D.C. law firm Hogan & Hartson. "It's irrelevant. It's a cost of doing business."

Varney, who served as a Federal Trade Commissioner for five years in the 1990s, says she has defended or counseled many companies that have mistakenly disclosed personal data like Social Security numbers, bank account numbers and driver's license numbers. She spoke last month at the Identity Mashup conference at Harvard Law School in Cambridge, Mass. Varney does not believe that data breach notifications mean much to victims because the companies that hold the data do not bear financial responsibility for disclosing it. "Do I think the vast majority of Fortune 1,000 consumer-facing companies take it very seriously? Absolutely not. They are the people in my office after they get caught," Varney says.

Varney says the companies give "no thought to the value that they need to place on the security of data they hold."

Their mistakes certainly haven't made a dent in their earnings, at least according to financial statements filed by three public companies that have committed data breaches. Business is booming for shoe retailer DSW Inc., of Columbus, Ohio, which allowed hackers to gain access to credit card, debit card, and checking account information of more than 1.4 million customers in the March 2005. The company has since settled with the FTC, but in its quarterly report filed April 13, DSW had this to say: "Although difficult to quantify, since the announcement of the theft the company has not discerned any material negative effect on sales trends it believes is attributable to the theft." In fact, sales and profits are up. DSW's net income was $37.2 million on net sales of $1.1 billion for fiscal year 2005, which ended January 28, 2006. That compares with net income of $35.0 million on net sales of $961.1 million for the same period of the previous year. The 2005 results included a charge of $6.5 million for losses associated with the data theft.The story is much the same for Polo Ralph Lauren Corp., which exposed 180,000 customer records in April 2005.

"Management does not expect that the ultimate resolution of this matter will have a material adverse effect on the Company's liquidity or financial position," the company wrote in its annual report filed June 15.

Ralph Lauren expects to pay $13 million to settle claims by banks related to the breach - fraudulent credit card charges, the cost of replacing cards and related monitoring expenses. That's a drop in the bucket compared to the company's 2006 sales of 3.7 billon and net income of $308 million.

The costs for ChoicePoint Inc. have been higher, but the company still believes that it won't feel a pinch in its cash flow, despite acknowledging that "there are other instances that will likely result in notification to consumers," besides the 145,000 records it exposed in February 2005, it wrote in its quarterly report filed May 9.

ChoicePoint, based in Alpharetta, Georgia, reported record revenue of $1.1 billion for 2005, a 15 percent increase over 2004. Operating income decreased 2 percent, to $237.1 million, largely because of a pre-tax charge of $8.0 million for its settlement with the FTC and another a $19.3 million charge for legal expenses and other fees.

The settlement cost, which included a $10.0 million civil penalty, a $5.0 million fund to be administered by the FTC for consumer redress initiatives, and a $4.0 million charge for additional information security obligations, would have been higher but ChoicePoint received $11.0 million in insurance proceeds.Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer organization, agrees with Varney that many companies see the losses associated with security breaches as the cost of doing business. But they're also concerned about their image.

"Suffering a security breach does give a company a public relations black eye," she says. "They could lose customers, they could certainly lose trust and it might take them a while to regain the customers they lost and regain a good reputation."

That acts as a catalyst to improve security practices, Givens says. Companies typically now pay for a year's worth of credit monitoring for victims, which combined with the expense of notifying them, could cost several million dollars. "The big company can laugh it off ... but a smaller company will feel the pinch."

Privacy Rights Clearinghouse estimates that nearly 90 million records containing sensitive personal information have been involved in security breaches, starting with ChoicePoint. That incident led 30 states to follow California's lead and pass a law that requires consumers to be notified of a breach in the security of computerized personal information.

There is no such federal law, though a pair of bills are under review in Congress.Varney says she is skeptical that legislation can be created that would be effective because commercial interests are too great.

Ira Rubinstein, the associate general counsel for regulatory affairs and public policy for Microsoft Corp., who spoke on the same panel as Varney at the Identity Mashup conference, disagreed with her. "The laws are beginning to impose very significant costs in terms of fines and corporate reputation."