At the end of the day the financial fallout for companies hit by high-profile data breaches such as Sony, Target and Home Depot has not been significant. In fact, the actual expenses for each country amounted to less than 1% of each company’s annual revenues and after tax deductions, the losses are even less.
This NextGov article explores how a “market failure relating to asymmetric information, which results in the problem of “moral hazard” for private companies in the area of information security.” Moral hazard is when one organization can take on greater risk because other organizations bear the burden of cost to those risks. In this case those companies are credit and debit card providers, which in the month of September 2014 alone, spent $60 million replacing compromised cards related to the Home Depot breach.
This idea of moral hazard means that it does not “make economic sense for companies like Home Depot to make large investments in information security. As a result, they do not. The insurance pay-outs and tax deductible breach-related expenses weaken the incentives even more.”
Continue reading here to learn more about about how governments are trying to address the issue.