No Harm, No Foul?
Computerworld reported that a federal court judge in Missouri threw out a consumer class-action lawsuit that was brought against Express Scripts, a pharmacy benefits company, regarding a 2008 data breach in which millions of customer records were illegally accessed. The reason? Judge Buckles said that the plaintiff in the case, John Amburgy had failed to show how exactly the data breach had caused him any direct injury or even put him in imminent danger of any injury. "Abstract injury is not enough to demonstrate injury-infact," Judge Buckles wrote. "The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical." This may be viewed as a "victory" by Express Scripts, but the damages filed by the plaintiff speaks volumes: Amburgy claimed that as a result of Express Scripts' failure to maintain adequate security measures, he and others affected by the breach were at increased risk of identity theft fraud and extortion. He claimed that he and others similar affected had to spend time and money monitoring their credit accounts and reports, prescription records and other financial accounts. When a company, large or small, experiences a situation that affects the confidence and trust of its customers, you cannot put a price tag on how significant that loss is. A corporation's reputation is everything and businesses need to remember they are nothing without their customers. A study released by The Poneman Institute helps to put this in perspective. The findings reported that " the cost of lost business makes up the bulk of the cost of data breaches, and has been going up steadily. "The cost of lost business accounts for 69 percent of the cost of a data breach, the study found. It averages $4.59 million, or $139 per record compromised. This is partly due to increased customer churn, as customers take their business elsewhere. Between 2005 and 2008, the cost of customer churn grew 38 percent, or more than $64 on a per-victim basis, the study found. Not only do angry customers vote with their feet, but they also blab, and that increases the cost of lost business. "People are willing to talk about a problem when they feel they've been marginalized or ignored, and that increases the amount of lost business and the cost of customer acquisition," Ponemon said. 2010 is going to see an abundance of both new and updated federal and state laws going into effect. We would like to think that the overwhelming number of data breaches reported this year would be enough of a wake-up call for companies, but perhaps regulatory enforcement will be what finally makes a difference. Hopefully companies will start to learn that a small IT investment in security technology now will mean substantial savings in finances and reputation later.