NEW YORK (3/30/15)--A review of top merchants' financial statements found that the cost of data security breaches--while devastating to credit unions and consumers--barely makes a dent in their annual revenues.
Benjamin Dean, a fellow for Internet governance and cybersecurity at Columbia University's School of International and Public Affairs, examined 10-K reports filed by Sony, Target and Home Depot with the U.S. Securities and Exchange Commission.
Among his findings:
"It therefore does not make economic sense for companies like Home Depot to make large investments in information security. As a result, they do not," Dean wrote. "The insurance pay-outs and tax deductible breach-related expenses weaken the incentives even more."
Dean also cited CUNA's research that found the Home Depot breach cost credit unions $60 million.
Dean's article was picked up by FORTUNE, CBS MoneyWatch and The Wall Street Journal.
Target's announcement that it settled a consumer class-action lawsuit for $10 million does not mean financial institutions are being recompensed. The settlement only covers payments to consumers for damages they can prove.
"Credit unions continue to protect their members as a result of merchant data breaches--and there's no end in sight. It's high time for merchants to be held to the same standards as financial institutions to ensure all consumers' private information is protected," CUNA President/CEO Jim Nussle said after Target settled a $10 million consumer class-action lawsuit (News Now March 20).
CUNA also signed on to a letter to Congress from financial services associations that suggested merchants look toward innovative security instead of increased usage of chip-and-PIN EMV cards--status quo security that does not protect consumer data (News Now March 24).