At Emergent Chaos, Adam is pondering the discrepancy between TJX’s losses and the $187/record loss cost:

So TJX recently announced a $118m setaside to deal with the loss of control of 45 million records. Now, I’m not very good at math (if I was, I’d say $2.62, not $3), but it seems to me that the setaside is less than $3 per record. That doesn’t line up with the $187 per record that’s going around. In fact, it’s off by a factor of 60. Even if I’m not good at math, I can see that.

So to every journalist who’s quoted $187, I ask: what’s up with that discrepancy?

I think the real question is, “What’s the breakdown of fixed versus variable costs for a breach?” The topline number isn’t all that useful without some sort of cost breakout.

I forget what the average number of lost records in the PGP/Ponemon study was (the source of the infamous $187 number), but I think it numbered in the thousands (like 5,000. I’m sure someone will go look and correct me).

As a result, they had a high loading of fixed costs per record. On a smallish (tens of thousands of records) breach that I once built a post-incident cost model for, fixed costs ran to a couple million dollars by the time the lawyers, investigators, crisis PR folks, etc. all got paid. Our time was “free” since we were salaried, but it was also a few thousand hours of fairly expensive people across all groups, so another million bucks give or take.

The per-record costs then vary depending on whether you have to notify (<$3/record for printing, stuffing, and mailing), buy credit monitoring ($10/year? less in bulk), etc. If you have to pay for re-issuing credit cards, I think that’s ~$28/card.

So, yes, I believe that the $187 number is useful, but only in certain circumstances (losses of thousands rather than millions of records). But I also believe that the TJX cost has significant externalities that they don’t even want to publicly acknowledge for fear of being put on the hook for them in court.

If TJX can reasonably hope to avoid even being tied to losses caused by the breach, then that would make their actions, while morally reprehensible to many, the correct thing to do from a fiduciary responsibility perspective. And since credit card companies aren’t exactly a sympathetic victim, it will almost certainly work.

Also, from a risk management perspective, given the scale of the breach the cost of countermeasure (e.g. re-issuance or credit monitoring for 45 million accounts) will far exceed the expected losses due to the incident, and thus are assumable.

Ponemon sez $54 out of $182 were direct costs. (p.7)
Average breach size was 26,300 records (p.9)
(”2006 Annual Study: Cost of a Data Breach”, October 2006)

The biggest component of cost ($98) was so-called “opportunity cost”, which is how they label “turnover of existing customers and increased difficulty in acquiring new customers”. (p.2) It is unclear whether the turnover values used in the report represent numbers above and beyond typical turnover (Adam blogged about this, IIRC). It’d be nice to have the raw data and some more methodological detail.

My recent reply to the post at Emergent Chaos for those who might have missed it:

For those reporters (and there were only a few) who bothered to ask Larry Ponemon about the costs, they got an answer that was in-line with the estimates TJX just announced. Ross Kerber’s reporting in the Boston Globe back in April (http://www.boston.com/business/personalfinance/articles/2007/04/12/analysts_tjx_case_may_cost_over_1b/) should serve to demonstrate Ponemon’s grasp of the issue, and his own research. Others weren’t so bright, opting instead to simply multiply a breach that represented a statistical anomaly on the high end with the $183/per figure from our 2006 report. While the resulting figure was certainly sensational it was, as others have already pointed out, a misread of the information in the report.

Economies of scale take over when the incident leaps from a sampling that included incidents numbering in the tens of thousands to a breach that was over 45 million.

Mike

Hi Mike,

Thanks for confirming what I had suspected but was too lazy to look up and what Chris cared enough to look up.

So Mike, what about the turnover values? Is the 2-7% incremental, or is it turnover observed post-breach but not taking into account the pre-breach normal turnover level, or is it something else (like a best guess by respondents, say?)

[…] I’m still catching up on my blogroll, and caught this article over at Emergent Chaos, which also referenced this one by Thurston. Both articles discuss the infamous Ponemon study that claimed the average losses in a breach were $182 per record. […]

Chris - Thanks for asking the question. Customer turnover is based on observable changes to the affected company’s normal turnover rate. It’s a simple calculation.

Another TJX-related issue that Ponemon has discussed with those who bothered to ask, rather than make rash assumptions, is how TJX could report an increase in sales after the breach when we’ve done studies that consistently show that a breach will result in customer defections. It’s an easy question to answer: those studies were specific to retail banking, where the issues are much different. TJX can lower prices and increase advertising/marketing post-breach. Banks can’t simply knock a few points off their loan rates, or increase interest for depositors. The issues of trust run much deeper where financial services are involved, and the options for responding to the customer are highly restricted.

Mike