Maybe it’s because I grew up in the Midwest. But I just don’t like writing checks to lawyers.
I’ve lots of friends in the legal profession, and all are lovely people (well, most of them, anyway).
But as the pragmatic sort, it pains me to spend money to resolve something that might have been settled at a lesser price well before.
Which leads me to the topic of PCI.
Just reviewed a 2010 study from the data security experts at The Ponemon Institute that looked at the post-incident cost of data breaches. Forget, for a moment, the brand humiliation, the CEO news conferences, the critical whiplash in the blogosphere and throughout Facebook. Ignore, for a moment, that research suggests that 30% of consumers who were victimized by retailer data breaches promise never to patronize the offending brand again.
The Ponemon research found that 42% of all data breach incidents led to the involvement of a third party (there to provide additional, independent investigation, resolve disputes, and soak up consulting fees.)
The average cost of that third party involvement in the United States was $1.52 million, with final resolution costs ranging from $750,000 to upwards of $31 million. That’s on top of lost business estimated at $4.47M per incident.
Total: $6M. Perhaps not fatal to a billion-dollar business, but not a check I’d like to request.
Yes, I know that active, careful PCI compliance is no guarantee. And that active, careful PCI compliance doesn’t put revenue on the top line. And that there’s ongoing confusion about PCI for mobile. And everyone thinks it’s all too expensive. And on and on and on.
But I also know this: active, careful compliance reduces risk. Significantly.
And that the price of risk is not just a bruised brand.