Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Small Penalty For Big Data Breaches

Confidential customer information is precious but many large public companies that have experienced data breaches in recent months pay only a small price in fines and the impact on their financial performance for failing to protect this data.

"Paying a couple million [dollars] in a fine to the Federal Trade Commission and another couple million to send notices out [to victims] is nothing," says Christine Varney, head of the Internet practice group at Washington, D.C. law firm Hogan & Hartson. "It's irrelevant. It's a cost of doing business."

Varney, who served as a Federal Trade Commissioner for five years in the 1990s, says she has defended or counseled many companies that have mistakenly disclosed personal data like Social Security numbers, bank account numbers and driver's license numbers. She spoke last month at the Identity Mashup conference at Harvard Law School in Cambridge, Mass. Varney does not believe that data breach notifications mean much to victims because the companies that hold the data do not bear financial responsibility for disclosing it.

"Do I think the vast majority of Fortune 1,000 consumer-facing companies take it very seriously? Absolutely not. They are the people in my office after they get caught," Varney says.

Varney says the companies give "no thought to the value that they need to place on the security of data they hold."

Their mistakes certainly haven't made a dent in their earnings, at least according to financial statements filed by three public companies that have committed data breaches.

Business is booming for shoe retailer DSW Inc., of Columbus, Ohio, which allowed hackers to gain access to credit card, debit card, and checking account information of more than 1.4 million customers in the March 2005. The company has since settled with the FTC, but in its quarterly report filed April 13, DSW had this to say: "Although difficult to quantify, since the announcement of the theft the company has not discerned any material negative effect on sales trends it believes is attributable to the theft."

In fact, sales and profits are up. DSW's net income was $37.2 million on net sales of $1.1 billion for fiscal year 2005, which ended January 28, 2006. That compares with net income of $35.0 million on net sales of $961.1 million for the same period of the previous year. The 2005 results included a charge of $6.5 million for losses associated with the data theft.

  • 1