Reputations on the line

When external hackers broke into the TJMaxx owner’s computer systems they were able to steal 100 million credit and debit card account numbers over a six-year period.

Eleven individuals were indicted in 2008 in connection with the breach, but not before it cost the retail firm an estimated $1.7bn (although some reports suggest it was as high as $4bn).

The TJX Companies case is one of the most expensive examples of data breach in history and is most significant for two key reasons. One is that it occurred in the US, where companies are required to notify the public when data has been compromised and where there are costly fines and lawsuits for negligence.

The second is that the stolen data was subsequently used fraudulently. “Information was compromised and used to the detriment of the account holders and that typically will impact reputation more because there is a direct consequence to the customers of the attack,” says Marcus Alldrick, Lloyd’s senior IT manager.

Blemished image

While the retailer suffered substantial financial loss dealing with the cost of the data breach, resulting in legal action (including multi-million dollar class actions) and compensation, the reputational impact of the data breach and fraud was also a substantial burden.

“The last I heard was that $25mn was spent on vouchers to regain footfalls into the stores,” says Alldrick. “The key thing for organisations to understand is that you can suffer financial loss in multiple ways.”

While damage to brand and reputation can be difficult to measure financially, a data leak can quickly put off customers and cause a drop in share price – particularly in the online retail space where fear of fraud remains a primary concern.

 “Many of the impacts of cyber-security attacks are secondary, such as reputational damage, decrease in productivity or loss of consumer confidence,” says the new Lloyd’s 360 Risk Insight report, “Managing Digital Risks: Trends, Issues and Implications for Business.

A great deal has been learnt since the TJX case. The firm had used an outdated wireless security encryption system and failed to install firewalls and data encryption on computers using the wireless network.

Nevertheless, the threat environment is quickly evolving and headlines concerning major security breaches continue to make the front pages of newspapers.

In 2008, the fifth biggest payment processor in the US, Heartland Payment Systems, revealed a breach involving 130 million credit and debit cards. It cost companies, banks and insurers and estimated $128.9mn.

More recently, Zurich Insurance revealed it had lost the personal details of 46,000 customers in South Africa in 2008 during a routine transfer to a data storage centre. The breach was not discovered until a year later.

Growing liabilities

Significantly, the firm was fined £2.27mn by the Financial Services Authority (FSA). The risk of penalty as a result of the loss of sensitive data is becoming more of a reality in the UK, and affecting firms in sectors outside of financial services.

New powers announced earlier this year by the Information Commissioners Office (ICO) mean that firms can be fined up to £500,000 as a penalty for serious breaches of the Data Protection Act.

The cost of data breach is also becoming more expensive for companies. “The liabilities for companies are becoming an issue,” says Malcolm Randles, an underwriter at Kiln. “Regulators across Europe, including the ICO in the UK, are continuing to develop legislation shaped by the EU data directive as to how they will regulate and penalise businesses.”

However, to date, the treatment varies considerably between countries and regions. “The EU has a regulatory approach to data protection, which contrasts with the punitive post-incident data breach notification rules in the US,” notes the Lloyd’s report.

In the US, the average total per-incident cost of data breach rose to $6.75mn in 2009, up from an average of $6.65mn in 2008. This is according to a survey by the Ponemon Institute, a privacy and information management research firm.

“The US is a completely different animal,” notes Randles. “They have compulsory notification requirements in almost every state.”

PR and marketing campaigns to counterbalance negative publicity following a breach can run into the millions, while the cost of correspondence with customers – including setting up 24-hour call centres – to inform them of the breach and subsequent action can quickly rack up.

“There is a strong likelihood that the federal or state regulator will pursue you,” says Randles. “If you are a retailer or company that handles credit cards there’s a very good chance that Visa or MasterCard are going to come after you should your business compromise third party credit card information. For every compromised card that has to be shut down there are costs.”

“The UK, Europe, as well as the rest of the world, is slightly different,” he continues. “We have strong data protection laws in the UK – but as such these aren’t the same robust mandatory notification protocols as there are in the US.”

“In the US you are now faced with the strong likelihood of an increased cost of doing business if you handle third party data – the purchase of insurance allows you to transfer the cost of these potential issues.”

Together with Lockton, Kiln Syndicate 510 has developed a “Business Resilience” product covering online fraud, data breaches and other forms of cyber risk. It also covers the loss of revenue linked to the reputational damage caused by a data breach.

Comments

No comments