According to the Ponemon Institute, the average cost of a data breach in 2013 in the UK was just under £2 million. In many cases, the actual cost was much higher.

As well significantly impacting the bottom line, these incidents can also have a dramatic effect on share price. A large payment processor was recently breached and, within less than a week, the share price had already fallen 12%.

The total cost of a breach tends to fall into two buckets:

  • Direct costs resulting from investigating and remediating the breach
  • Subsequent indirect costs such as fines imposed, litigation, damages and a decline in sales as customer confidence is dented and brand reputation is tarnished.

First, there are the direct costs; once a breach has been identified, the imperative is to investigate and contain the incident. At this stage the aim is to limit the damage and understand the source and scale of the problem quickly. Apart from the need to hire expensive incident management specialists, the cost also includes the time spent by internal staff to support the investigation and containment process.

Once a breach has been discovered, organisations have a finite amount of time, depending on the jurisdiction, to notify relevant authorities regarding the breach. Mishandling notifications can lead to severe consequences, including fines and yet more costs.

With the scale and impact of the breach established, the company must exercise due care towards its customers as a matter of urgency. This includes public announcements and separate, individual communications to customers explaining the exact nature of the breach and its impact. Communicating the breach to customers can include sending millions of individual letters, as well as establishing call centres to support the subsequent queries. If the loss of data could result in identity theft or financial fraud, the company also needs to provide customers with identity theft or credit monitoring services free of charge.  

Regulatory fines add to the direct expense bills. The Information Commissioner’s Office (ICO), for example, recently issued a fine of £250,000 against a large entertainment company for a breach of the Data Protection Act (DPA). 

Over the past decade, merchants have been particularly hard hit due to alleged PCI non-compliance. Visa imposed $13.3 million in non-compliance fines and assessments on two acquiring banks, which processed the payment card information in a breach incident. The banks paid the fines, and then collected the total from a speciality retailer in line with an indemnification agreement. The fines assessed stemmed from the breach of the retailer’s payment processing network due to a criminal cyber attack. 

While the direct costs can be significant, the indirect costs can be even greater. This often begins with a PR storm that consumes valuable senior executive time spent in crisis management. To manage the situation, directors may participate in several broadcasts, explaining the event and the actions that their companies are taking. A considerable amount of time is also consumed responding to enquires from government agencies, regulatory bodies and consumer groups. Given the potential damage to brand reputation, expensive PR support is often also required.

Alongside the reputational harm, retailers face legal actions when hackers steal consumer data. Customers and small banks recently filed 68 class action suits, in 21 US states, against a large retailer alleging that it didn’t take proper steps to protect consumer data. 

The banks are also seeking damages for the costs they are incurring because of the breach. They claim to have been "swamped by customers and its members needing to close accounts" to prevent fraudulent activity, forcing the bank to spend time and money creating new cards and refunding deposits.

Organisations that suffer a breach also tend to come under greater regulatory scrutiny. This means the company will continue to spend time facilitating and following up on multiple assessments, audits and enquiries from a range of regulatory bodies like the ICO and Financial Conduct Authority. 

Data breaches inevitably have a negative impact on brand perception and customer trust and loyalty. Retailers risk losing customers if they cannot protect their personal data.

While the threat is real and the implications are far reaching, organisations that are prepared for the worst fare a lot better at containing the costs and consequences of a breach. Companies that have a strong security posture, incident response plan and chief information security officer (CISO) significantly reduce the risk of a breach, as well as the costs incurred should it happen.

Retailers need to understand that in the midst of a data breach, there is no time to decide then how to handle it. Now is the time to recognise this threat, understand your company’s vulnerabilities and invest effort into developing cyber security defenses and response plans should a breach still occur.

Sandeep Kumar is a director in Alvarez & Marsal's Cyber Security Practice, which provides incident response, forensic investigation, CISO interim management and training services globally.

Former Carpetright IT director Ian Woosey is a senior director at professional services firm Alvarez & Marsal. He will be writing an monthly column on cybercrime exclusively for Essential Retail.

http://www.alvarezandmarsal.com/retail