Data breach expenses barely negligible in retailers' financials

March 27, 2015

NEW YORK (3/30/15)--A review of top merchants' financial statements found that the cost of data security breaches--while devastating to credit unions and consumers--barely makes a dent in their annual revenues.

Benjamin Dean, a fellow for Internet governance and cybersecurity at Columbia University's School of International and Public Affairs, examined 10-K reports filed by Sony, Target and Home Depot with the U.S. Securities and Exchange Commission.

Among his findings:

  • Target's 2013 breach affected 40 million credit and debit cards and 70 million personal information records. It reported the gross expenses were $252 million. Once the insurance reimbursements and tax deductions were accounted for, the net losses totaled $105 million--equivalent to 0.1% of 2014 sales;
  • In 2014, Home Depot had a breach that affected 56 million credit and debit card numbers and 53 million email addresses. The home improvement retailer incurred net expenses of $28 million after an insurance reimbursement of $15 million. Those expenses are less than 0.01% of Home Depot's 2014 sales; and
  • ony reported the November 2014 hack into its computer systems--which exposed Social Security numbers and personal emails--would cost $44 million. However, estimates now put the impact at $15 million in investigation and remediation costs. These losses represent 0.9%-2% of Sony's total projected sales for 2014.

"It therefore does not make economic sense for companies like Home Depot to make large investments in information security. As a result, they do not," Dean wrote. "The insurance pay-outs and tax deductible breach-related expenses weaken the incentives even more."

Dean also cited CUNA's research that found the Home Depot breach cost credit unions $60 million.

Dean's article was picked up by FORTUNE, CBS MoneyWatch and The Wall Street Journal.

Target's announcement that it settled a consumer class-action lawsuit for $10 million does not mean financial institutions are being recompensed. The settlement only covers payments to consumers for damages they can prove.

"Credit unions continue to protect their members as a result of merchant data breaches--and there's no end in sight. It's high time for merchants to be held to the same standards as financial institutions to ensure all consumers' private information is protected," CUNA President/CEO Jim Nussle said after Target settled a $10 million consumer class-action lawsuit (News Now March 20).

CUNA also signed on to a letter to Congress from financial services associations that suggested merchants look toward innovative security instead of increased usage of chip-and-PIN EMV cards--status quo security that does not protect consumer data (News Now March 24).