Just a bit more than two years ago, I calculated the penalty of mishandling medical records from more than 67,000 people to be $2.09 apiece. Then this morning, reports arrived saying Target has agreed to settle a class-action lawsuit related to its 2013 data breach for what comes to 25¢ for each of the 40+ million credit cards compromised, and only 9¢ for each of the roughly 110 million affected cardholders.
If the decline indicated by these two datapoints prove out, does it mean that the cost associated with these sorts of lapses in governance is coming to be a simple cost of doing business? And if it does, what affect will that have on our ability to bring greater discipline to the practice?
The sheer number of victims involved in the Target case means the company will, pending federal court approval, establish a $10 million fund to cover the payouts. While this isn’t peanuts, it hardly registers as a percentage of the company’s total revenue of $72.6 billion and represents barely one-half of one percent of Target’s net earnings of $1.97 billion.
So what say you? Are these figures small enough drops in the ocean to be meaningless to corporations? Or is the scope of the problem growing large enough to command the kinds of attention we know governance demands?