“Of course,” he says, “we have no idea, now, of who or what the inhabitants of our future might be. In that sense, we have no future. Not in the sense that our grandparents had a future, or thought they did. Fully imagined cultural futures were the luxury of another day, one in which ‘now’ was of some greater duration. For us, of course, things can change so abruptly, so violently, so profoundly, that the futures like our grandparents’ have insufficient ‘now’ to stand on. We have no future because our present is too volatile. We have only risk management.”

–Bigend, p. 57 from Pattern Recognition by William Gibson.

I’m re-immersing myself in the world that William Gibson introduced in Pattern Recognition before reading the just-released Spook Country. Good stuff.

At Emergent Chaos, Adam is pondering the discrepancy between TJX’s losses and the $187/record loss cost:

So TJX recently announced a $118m setaside to deal with the loss of control of 45 million records. Now, I’m not very good at math (if I was, I’d say $2.62, not $3), but it seems to me that the setaside is less than $3 per record. That doesn’t line up with the $187 per record that’s going around. In fact, it’s off by a factor of 60. Even if I’m not good at math, I can see that.

So to every journalist who’s quoted $187, I ask: what’s up with that discrepancy?

I think the real question is, “What’s the breakdown of fixed versus variable costs for a breach?” The topline number isn’t all that useful without some sort of cost breakout.

I forget what the average number of lost records in the PGP/Ponemon study was (the source of the infamous $187 number), but I think it numbered in the thousands (like 5,000. I’m sure someone will go look and correct me).

As a result, they had a high loading of fixed costs per record. On a smallish (tens of thousands of records) breach that I once built a post-incident cost model for, fixed costs ran to a couple million dollars by the time the lawyers, investigators, crisis PR folks, etc. all got paid. Our time was “free” since we were salaried, but it was also a few thousand hours of fairly expensive people across all groups, so another million bucks give or take.

The per-record costs then vary depending on whether you have to notify (<$3/record for printing, stuffing, and mailing), buy credit monitoring ($10/year? less in bulk), etc. If you have to pay for re-issuing credit cards, I think that’s ~$28/card.

So, yes, I believe that the $187 number is useful, but only in certain circumstances (losses of thousands rather than millions of records). But I also believe that the TJX cost has significant externalities that they don’t even want to publicly acknowledge for fear of being put on the hook for them in court.

If TJX can reasonably hope to avoid even being tied to losses caused by the breach, then that would make their actions, while morally reprehensible to many, the correct thing to do from a fiduciary responsibility perspective. And since credit card companies aren’t exactly a sympathetic victim, it will almost certainly work.

Also, from a risk management perspective, given the scale of the breach the cost of countermeasure (e.g. re-issuance or credit monitoring for 45 million accounts) will far exceed the expected losses due to the incident, and thus are assumable.