Are retail data breaches a thing of the past? Hardly. In fact, Pricewaterhouse Cooper's (PwC) Global State of Information Security® Survey research indicates criminal attacks on retail organizations grew 154% in the past year alone, and not only are attacks becoming more common, the same PwC survey results indicate they have a 72% greater impact than they did in 2015.
While the costs of data breaches can vary significantly, it's no secret the impact of these costs is felt in more ways than sheer regulatory fines and notifying affected customers. Join us as we review the state of retail security and what really happens to your balance sheets when cardholder data goes missing.
The State of Retail Information Security
Since Target, Home Depot, and countless other retailers have fallen prey to highly-public data leaks, retailers of all sizes may feel more conscious about security.
The methods of attack used to zero in on retail organizations have evolved. Card skimming, the act of physically tampering with point-of-sale (POS) devices to retrieve data, may be growing less common.
Verizon research notes the common causes of retail security incidents during the last year included:
- Point-of-sale intrusions
- Web app attacks
- Payment card skimming
How Much Do Retail Data Breaches Cost?
Understanding the true cost of a data breach involves looking beyond the pure factors presented in media and associated price tags. There are a number of factors that can drive up the price you pay.
Forty-seven U.S. States and territories have legislation governing the notification of customers affected by a data breach, according to the National Conference of State Legislatures (NCSL). Though laws can vary state-to-state, they typically address which organizations are affected by notification legislature, the definition of a data breach, and appropriate means of notification.
An organization's policies and applicable laws determine the ability to electronically notify customers or utilize standard mail. Generally, this is one of the cheapest aspects of a data breach, costing just several dollars per record.
2. Credit Monitoring
While specific requirements can vary, most organizations are either required or volunteer to offer free credit monitoring services to customers following a breach. This may be done on an opt-in basis. While subscription fees can fluctuate, organizations may expect to pay approximately $150 per year for each customer who receives credit monitoring.
3. Forensic Investigators
Hiring a third-party subject matter expert to conduct forensic analysis is a common response to a confirmed security incident with data loss. Dependent upon the nature of the breach and existing technologies, forensic analysis may be used to determine:
- Root cause of a breach
- Extent of data affected
- Breach reporting
- Recommended actions
The hours required to conduct this analysis can vary significantly, and having high-quality audit logs in place can significantly speed up the process. While investigation rates differ, companies can expect to pay approximately several hundred to thousands of dollars per hour for this highly-specialized consultant service.
4. Legal Defense
Along with forensic investigative assistance, many organizations will choose to enlist the help of an experienced attorney for legal advice and/or defense during the months following notification. Though legal costs can depend on the extent of in-house counsel and other needs, the hourly rate of highly-skilled attorneys may range from several hundred to thousands per hour.
5. Legal Settlements
The prominence of your organization and the number of customers affected by the breach may increase your chances of being faced with a class action lawsuit. Settlement amounts can differ significantly, however, the legal settlement for the Home Depot breach in 2014 was previously reported as close to $20 million.
6. Regulatory Fines
If a retail organization is found non-compliant with Payment Card Industry Data Security Standards (PCI DSS) requirements at the time of a data breach, regulatory fines are a concern. Fines are calculated based on the results of the forensic investigation, which the breached organization is responsible for completing and presenting.
Dependent upon the length of the breach and level of PCI compliance an organization is responsible for, regulatory fines for retail organizations typically range from $5,000 to $500,000.
7. Loss of Revenue
A loss of customer data can result in a loss of customer trust. Even if an organization takes every possible action immediately to remediate issues, there is chance revenues will take a hit in the months following the incident. While industry-wide statistics on the average loss of revenue are not available, it's safe to assume this financial hit may be extensive.
8. Customer Churn
Your organization may have the opportunity to rebuild relationships and trust with some customers following a data breach, however other connections have the potential to be permanently lost. Dependent upon the level of relationship loyalty, the financial impact of customer churn may be the single most expensive factor associated with a data breach.
So How Much Does a Retail Data Breach Cost?
The price tag your retail organization can expect to pay in a retail incident with data loss could vary significantly depending on legal settlements, forensic investigations, and the resultant loss of revenue.
While retailers certainly can and do financially recover from major security incidents, this process rarely occurs quickly. In some of the most visible retail breaches, there's a chance the image of poor data security practices will never fully go away.
How to Protect Your Retail Organization from a Data Breach
While the true cost of retail data breaches can vary significantly, there is no question that an incident with data loss can be an incredibly expensive event. For smaller retailers, it may be impossible to financially recover from the regulatory fines, legal bills, and public image loss of a cybercriminal attack.
By recognizing the risks of your point-of-sale systems and other vulnerabilities, retail security professionals can enable critical oversight into their company's infrastructure. By understanding the early warning signs of an incident in progress, you can act quickly and prevent devastating financial outcomes.
To learn more about CimTrak's PCI-compliant integrity monitoring solutions for point-of-sale systems, click here, or download our PCI DSS brief today.
October 4, 2016