2007 has not been a good year for consumer data security, if one measures by the size and number of records compromised by data security breaches that have occurred this year. Data security breaches have affected millions of consumers around the globe. Large scale breaches grabbed the headlines, beginning in January, 2007 with the theft of the personal information of 45 million customers of the retailer TJX, and culminating with the loss of personal records of 25 million national insurance and child benefit recipients in the UK by a government agency last month.. In between were reports of breaches at the U.S. Department of Veteran’s Affairs, the U.S. Department of Agriculture, Monster.com, the State of Ohio, and numerous colleges and universities. The Consumers Union reports that the total number of records of total number of records containing sensitive personal information involved in security breaches in the U.S. is currently 216,251,736, although this number is likely larger since in the case of many breaches, the total number of records compromised is unknown.
A recent study by the Ponemon Institute shows that data breach costs continue to rise. Ponemon Press Release In its 2007 Annual Study: Cost of a Data Breach, it found that in 2007, data breach incidents cost companies an average of $197 per compromised customer record, compared to $182 in 2006. Lost business opportunity, including customer turnover and expenditures to acquire new customers, was the most significant component of the cost increase. Other cost factors include legal, investigative and administrative expenses, reputation management, and costs related to customer support, such as credit monitoring fees and consumer hotlines. The study found that one category of expenditure had decreased from 2006, however; the cost of notification of consumers fell 40 percent, decreasing from $25 per customer in 2006 to $15 per customer in 2007. This may indicate that the data breach notification and security freeze laws enacted in more than 30 states, many of these laws became effective in 2006 and 2007, have allowed for a more certain and measured approach to notification to U.S. residents by companies than in the past.
Consumers have noticed the increase in data security breaches, and consumer confidence in the organizations with which they share their data has declined. In a separate study, the 2007 Consumer Survey on Data Security issued by Vontu and the Ponemon Institute, 62% of respondents indicated that their personal data had been stolen, and 84% of those respondents reported increased anxiety and loss of confidence resulting from the data loss events. Such a loss of trust will likely affect the consumers buying behavior. While consumers may toss the annual privacy notices received from their financial institutions, consumers do read the privacy notices on websites, and truly care about these notifications.
Companies will be wise to make note of the results of these studies. The persistent problem will continue to be how companies deal with data security. Preventing compromises in data security is the surest way to avoid the costs and issues discussed above. The study makes clear that erecting another firewall within the company isn’t the solution, since the confidential data to be protected is actually in the possession of third parties. More than a third of data breaches result from data being shared with third parties in connection with outsourcing arrangements. Companies need to look closely at how they are sharing the data with their third party service providers, what security measures they have imposed on their providers, and work with the providers to make certain the necessary data security strategy that has been agreed upon is in fact in place. Too often, the company hires a company, shifts responsibility for security of the data to be processed by the third party service provider to that party, and never gives it another thought. Requiring periodic audits and reports can help detect weaknesses in the security of the data and perhaps avoid the expense and embarrassment of a security breach.