Quarterly financial results released by Heartland last week show that the card payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees.
That total also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the breach. One example of what the fund is set up for is Heartland's against it for $4 million.
So far, Heartland has recovered about $30 million from insurance companies. Even with the updated figures, Heartland so far has spent considerably less than the it would eventually spend to address its massive 2006 data breach.
Even so, given the scope of the Heartland breach, in which an estimated 130 million credit and debit cards were compromised, it is likely that Heartland will end up spending more than TJX over time.
Heartland's disclosure of its breach-related expenses comes at a time when studies show that costs to companies from data breaches is steadily rising. The Ponemon Institute said it found the average cost per security breach incident in the U.S. in 2009 was $6.75 million. On average, companies spent about $204 per breached record, the study found.
Costs to companies from data breaches are significantly impacted by notification laws, the Ponemon study noted. In the U.S., the cost per lost record is 43% higher than the global average because of breach notification laws in 48 states.
Another big cost is the lost business due to lost or eroded customer trust following a data breach, the Ponemon study found. The negative publicity surrounding a data breach makes it costlier for customers to retain existing customers or attract new ones, the study found.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .
in Computerworld's Cybercrime and Hacking Knowledge Center.