Occasionally, I check Global Payments’ site for information on what their breach(es) last year cost them. Here’s what they reported in their SEC 10-K/A filing today:
For the year ended May 31, 2012, we have recorded $84.4 million of expense associated with this incident. Of this amount, $19.0 million represents the costs we have incurred through May 31, 2012 for legal fees, fees of consultants and other professional advisors engaged to conduct the investigation and various other costs associated with the investigation and remediation. An additional $67.4 million represents an accrual of our estimate of fraud losses, fines and other charges that will be imposed upon us by the card networks. We have also recorded $2.0 million of insurance recoveries based on claims submitted to date as discussed below. We based our estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary settlement discussions with the networks. As such, the final settlement amounts and our ultimate costs associated with fraud losses, fines and other charges that will be imposed by the networks could differ from the amount we have accrued as of May 31, 2012. Any such difference could have a material impact on our results of operations in the period in which the associated claims are actually settled, or in the period in which we receive additional information that would cause us to refine our estimate of losses and adjust our accrual. Currently we do not have sufficient information to estimate the amount or range of additional possible loss. In addition, if we need to raise additional funds to finance our future capital needs, given the impact this event may have on our business and financial condition, we cannot provide any assurance that we will be able to obtain such financing on reasonable terms or at all. See “Management’s Discussion and Analysis of Results of Operations” and “Business – Legal Proceedings.”
A security breach like the one that recently occurred, or other misuse of data could harm our reputation and deter existing and prospective customers from using our products and services, increase our operating expenses in order to contain and remediate the breach, expose us to unbudgeted or uninsured liability, disrupt our operations (including potential service interruptions), increase our risk of regulatory scrutiny, result in the imposition of penalties and fines under state, federal and foreign laws or by the card networks, and adversely affect our continued card network registration and financial institution sponsorship.
The Company is insured under a claims-made Professional and Technology Based Services, Technology Products, Computer Network Security, and Multimedia and Advertising Liability Insurance Policy and a claims-made Follow Form Excess Liability Insurance Policy issued by certain syndicates of Lloyd’s Underwriters and State National Insurance Company, respectively, for the policy period beginning June 1, 2011 and ending June 1, 2012. The policies provide a total of $30 million in policy limits that are potentially available to cover certain first-party and third-party technology errors and omissions losses. The policies contain various sub-limits of liability and other terms, conditions and limitations, including a $1.0 million deductible per claim. The insurers have been advised of the circumstances surrounding our recent event. As of May 31, 2012 we have recorded $2.0 million in insurance recoveries based on claims submitted. We expect to receive additional recoveries as we receive assessments from the networks and submit additional claims. We will record receivables for such recoveries in the periods in which we determine such recovery is probable and the amount can be reasonably estimated.
We expect to incur additional costs associated with investigation, remediation and demonstrating PCI DSS compliance and for the credit monitoring and identity protection insurance we are providing to potentially-affected individuals. We will expense such costs as they are incurred in accordance with our accounting policies for such costs. We currently anticipate that such additional costs may be $55 to $65 million in fiscal 2013. We anticipate that we may receive additional insurance recoveries of up to $28 million.
Realizing that their estimates may be off if they do not yet know what the fines will actually be, they’re talking about approximately $145 – $150 million for everything, with maybe $28 million reimbursed? That’s a lot of money….
Update: Using my fingers and toes, I realized after I posted the above that those figures would work out to less than $100 per record if we use the 1.5 million estimate that Global Payments provided for the breach. That’s significantly lower than estimates last year that breach costs average about $194 per record. Their estimates might also inspire companies to consider whether they carry enough breach insurance. $30 million may not be enough in some cases.
I can understand the and the tool itself – the credit card, but I cannot fathom why other smaller countries have a more sophistcated credit card that pretty much deters illegal use. I am trying to think of another service or compnay that would make their money back on this. Eateries, Automobile services, Appliances and such probably would not. Can credit card services make back $100.00 per person? Absolutely.
I don’t get the idea that others might not want to use their company and they MIGHT lose customers. In the end, it boils down to the logo on the card. Very few people pay attention to the near-end processor. All they care about is that when they swipe the card, it goes thru, and the transaction is complete. With the potential for making cash on every swipe, from customer to merchant, sales, ATM fees and more, I am sure this is a heavy dent in the armor, but not one thats going to knock them out. They may be playing up the empathy card some, sort of like saying, give us a second chance, but in the long run, they are probably not going anywhere.
Much like the ARM mortgage, AAA modified junk bonds and mortgages in general it shows that if your out to continually stick it to individuals in the long run, it will probably come back to bite you in the end.