How Can We Put a Price on Security?

The news that Target has agreed to pay out a $10 million settlement over its November 2013 data breach is disturbing. It’s not troubling only because Target has agreed to pay out a mere $10 million for a breach that affected more than 60 million people. What’s truly alarming is that a growing number of businesses, including Target, seem to view security breaches and the associated legal and settlement costs as the price of doing business.

Target has more than $2.2 billion on its balance sheet. $10 million is less than half of 1 percent, or the equivalent of 10 cents on $22. Worse, it’s not even certain that the people affected by the breach will be able to obtain anything from the settlement.

The burden of proof is heavily on consumers, who must explicitly demonstrate a loss—including documenting unauthorized charges, time spent addressing unauthorized charges and other costs, such as credit monitoring. Experts say that the most a consumer is likely to receive is $50 or $100.

Based on this incident and so many others, one has to wonder whether American businesses have any real incentive to lock down systems and secure data. Study after study show that business and IT leaders are complacent and sometimes inept in dealing with the risks posed by cyber-criminals.

Jonathan Sander, Strategy & Research Officer with security vendor STEALTHbits, offers some sobering perspective: “Executives will make choices to ignore proactive compliance because they know the cost of change will outweigh the cost of fines. Since breaches and security issues are now so common and widely reported, executives have the numbers they need to know if good security would be more expensive than the total cost of a breach.”

But, wait, it gets worse (or better, depending on your perspective). “Last November, Target’s stock was at pre-breach levels and now the company is trading at new highs,” Sander continues. “If I’m on the board of directors, I may not think the cost of the Target breach would be worth the price of the massive changes needed to have truly strong security.”

The current state of affairs is disheartening. There’s growing indifference to the pain and suffering caused by these breaches, including the costs incurred by consumers.

When everything, including security, is only about dollar costs and squeezing out maximum profits, we are headed down a dangerous and disturbing path. Companies such as Target may escape any real accountability but, in the end, the entire system is at risk of crumbling … and eventually collapsing.