John Donaldson talks about how compensation from banks after data breaches to consumers may not be sustainable.
As a newcomer to the data security software industry, understanding the marketplace and costs involved for companies that have experienced a data breach has been critical part of my learning curve. And you don’t need to look far through the industry research to see that the risks are rising dramatically; the number of data breaches in the first six months of 2017 is already eclipsing those in 2016.
The IBM and Ponemon Institute’s 2017 cost of a data breach study puts the average figure at around $3.62m, while a recent estimate of the financial damage incurred by a breach at a FTSE 100 firm was a colossal £120 million. In addition to the fines and loss of consumer confidence, a significant part of this figure comes from the cost of compensation to the ultimate victims, on top of regulatory fines. For example, following the recent Equifax breach, over 50 class action lawsuits have, so far, been filed against the credit company. With up to 143 million peoples’ credit details exposed as part of the breach, this could end up being extremely costly for the organisation.
Against this backdrop, it’s fair to say that payment card data is particularly vulnerable. According to the Nilson Report, global credit card losses reached $21.84 billion in 2016, a figure they predict to increase and top $31 billion in 2020. For ‘card-not-present’ purchases, made online or over the phone, the losses on purchases made remotely increased by 9 per cent to £432.3 million in 2016 in the UK alone, according to Financial Fraud Action, the financial services fraud protection body. As consumers, can we assume that the organisations we entrust with our payment card data will continue to take responsibility for the safety of these details when faced with such large cost and compensation figures?
Consumers have remained king…for now
So far, consumers have been well protected from the financial effects of data breaches. We may have had the ‘hassle’ of having to cancel cards, or explain to banks that an attempted transaction was not our own, but by and large, retailers and credit card companies have been quick to reimburse customers for suspicious transactions. I recently attended a conference at which one of the speakers admitted that his own organisation had simply added a zero to a proposed compensation figure for a customer when it appeared that data security rules had not been followed correctly.
Can such pay-outs be sustainable in the long term? While attacks on personal data still make the headlines, they are becoming increasingly commonplace and the cost of compensation will increase dramatically as law firms catch on to a new source of litigation income. As companies, either proactively or through industry-specific regulation, upgrade their data safeguarding tools, could we reach a stage where consumers themselves have to share the cost?
At present, consumers in the UK certainly aren’t feeling the pressure – the majority of us are relatively relaxed about our personal data. Research conducted by Semafone found that only 54 per cent of respondents were worried about losing their bank details through a data breach. And less than a quarter said that they would switch bank if their financial service provider suffered a breach. It could be argued that if we knew that we would bear the cost of our card details falling into the wrong hands, we would be a lot more careful about who we shared them with.
Putting in financial safeguards
Insurance companies are also offering an avenue of protection for organisations handling card data. The adoption of cyber fraud policies has increased dramatically with the realisation that the EU General Data Protection Regulation (GDPR) will come into force in 2018 regardless of Brexit. The new regulation will bring with it fines of up to €20 million for data breaches, effectively making cyber insurance a necessity for companies handling large amounts of customer data. It follows that more companies will take out policies to cover the compensation payments that run alongside the fines.
It’s fascinating that organisations are paying such large fines and at the same time protecting their customers fully from the consequences. As companies introduce 2 factor authentication and more sophisticated algorithms analysing customer spending patterns, there is real investment in reducing the likelihood of data breaches and its impact on the consumer. Ultimately, it’s not simply a question of whether a bank or a retailer is required to pick up the tab. Most organisations are out there to make a profit, so the cost of a data breach is inevitably going to be passed down to the consumer in some way. Fines, compensation payments and insurance premiums will be all be redistributed to the consumer via higher fees from banks or prices from retailers.
There is no excuse for delaying data security
Everyone suffers when personal data is stolen. Yet, at present, most retailers and banks continue to drag their feet when it comes to data security, taking a risk on a few pay-outs rather than investing in effective prevention. But with data breaches an ever-increasing threat and popular topic for the media, business leaders need to act now if they are to protect customers’ sensitive information, along with the company’s reputation. And if there is a bigger motivator than money, we’re yet to see it, although negative publicity is rapidly challenging this; warning shots were fired earlier this year when US retailer Target was ordered to pay $18.5 million in fines to 47 states and the District of Columbia, as a result of its massive data breach in late 2013. Conversely Ashley Madison, a dating website, was fined a mere $1.66 million for a massive data breach, however the brand reputation suffered massive negative publicity which affected the long-term viability of the business. Clearly, putting off data security comes with consequences that should be keeping those in the boardroom awake at night.
It’s true that there’s no silver bullet that will completely stop cybercrime, but many companies are leaving it incredibly late to implement the right technology to keep customer data safe – there’s still a lot more that can be done. If we don’t take the time and spend the money to protect customer data, we are accepting that losses will continue to grow. And by shielding the consumer from the consequences of fraud now, we may be saving up a much larger bill for them to pay later.