When Société Générale revealed in January that it had lost more than $7 billion due to fraudulent trading activity, most of the headlines focused on “rogue trader” Jerome Kerviel, framing him either as a criminal or a reckless striver. His “perp walk” was eagerly anticipated by a horde of cameramen and his image was plastered on publications and Websites around the world.
Only later did questions emerge about the bank’s role as an enabler, and even then scant attention was paid to the exact manner in which the bank’s processes may have been at fault.
In truth, much of the blame can be traced to poor security, and in that sense the intense coverage of Société Générale joins a long parade of stories devoted to identity theft, computer hacking, and data breaches of all kinds. Despite all that attention, in many respects computer security remains the corporate risk that dares not speak its name. CFOs in particular seem loath to discuss it publicly even when they admit privately that it’s a major concern.
Your Data Is in the Mail — Literally
Perhaps they are wise to stay mum. Since January 2005, the Privacy Rights Clearinghouse has chronicled nearly 1,000 breaches totaling nearly 220 million electronic records (the actual number is much higher because in many cases the number of records lost, stolen, or otherwise at risk is unknown). In February alone, organizations as various as the Diocese of Providence, Long Island University, Tenet Healthcare, Lexmark International, and a Marine Corps base in Japan saw data compromised due to vulnerabilities that range from the predictable to the ridiculous: lost or stolen laptops, hard drives, and jump drives; malicious and recreational hacking; the actions of vengeful ex-employees; computers left unattended and subsequently used by unknown parties; even poorly glued envelopes that spilled their contents into the mail stream, thus exposing college students’ Social Security numbers and other personal information to…well, who knows?
To date, the uncertainty over what exactly happens to misplaced or flagrantly misappropriated information has been the only bright spot for companies regarding computer security. Because plaintiffs have been unable to prove what, if any, damage resulted from their information falling into the wrong hands, their lawsuits have usually been tossed out of court.
That’s not to say that companies aren’t paying a price. Khalid Kark, an analyst at Forrester Research, estimates that companies pay $90 to $305 per record every time they must react to a breach. Given that a large company may see millions of customer records affected, the total tab could run into the millions or even billions of dollars.
Kark’s cost-per-record figure comprises up to seven separate expenses. Nearly all companies can expect to pay about $50 per record for discovery and notification, a sort of baseline response that entails alerting legal counsel, informing customers (which 39 states now require companies to do), absorbing additional call-center volume, and possibly extending special offers or other perks as a peace offering. If a company agrees to pay for a credit-monitoring service, that can add about $30 per customer. Lost productivity, the impact of customer attrition, and the costs of meeting additionally imposed security and audit requirements (more common for companies in highly regulated industries) can add $40 to $150 per record. And fines imposed by the Federal Trade Commission or other agencies, plus other potential court-mandated costs such as restitution (rare to date, although ChoicePoint had to pay $5 million, or $30 per record) add up to another $115 per record.