Compliance was already on every manager’s mind before Heartland Payment Systems reported that a breach early this year cost it
$12.6 million during Q1, 2009 in expenses and accruals.
Of those costs, $6 million were in fines from MasterCard and almost $1 million from Visa for alleged failures in PCI compliance.
“It will be interesting to see how the Heartland breach unfolds. Although
$12 million for just the first quarter is substantial — almost twice the average total cost of a breach according to our most recent study — there’s still a lot of dust yet to settle in this case,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in an e-mail to InternetNews.com
“However the numbers work out, the clear message to businesses is this: ignore data security and you will pay a dear price,” he added.
Heartland (NYSE: HPY) is disputing MasterCard’s assertion that it was not PCI compliant.
“Heartland believes that throughout the events of 2008 and 2009 it has fully cooperated with MasterCard’s investigation of first the suspicion and later the fact that an intrusion had occurred.
“Heartland therefore considers the MasterCard fine to be in direct violation of both the MasterCard rules and applicable law and it intends and is prepared to vigorously contest and it has recommended to its sponsor banks that they vigorously contest, through all means available including litigation if necessary any liability that may be asserted or imposed upon Heartland or its sponsor banks by reason of this fine,” said Robert Carr, Heartland’s CEO, during the company’s Q1 2009 earnings conference call.
The company passed a recent PCI audit, he added. “We believe that our systems defenses were robust previously but we are pleased to have this third party confirmation after a very thorough PCI review,” he said.
“MasterCard believes the fines it imposed were warranted and consistent with its rules,” said Chris Monteiro, MasterCard vice president of global marketing communications, in an e-mail to InternetNews.com.
And Heartland continues to pay for the breach. Even the $12.6 million cost number may be low. Bob Baldwin, president and CFO, said on the call that some costs are tougher to allocate specifically to the breach, such as $1 million spent on “encouraging merchant visits” as the company worked hard to retain its customers.
A pending lawsuit and fighting ‘lies’
There is a pending lawsuit that could drive the company into bankruptcy. It’s impossible to forecast how much the case will cost. “We simply do not have the information that will enable us to reasonably estimate the amount of total losses we might incur by reason of such claims, and many of these losses are not currently deemed probable,” said Baldwin
“We cannot assure you that our financial resources will in fact be sufficient to meet the cash burden we may incur as a result of the breach,” he added.
There are some very some very specific clear costs the company is already on the hook for. Baldwin said that Heartland reported a GAAP loss of $2.5 million, or $0.06 per share after providing for the costs of the intrusion, and said that without the $12.6 million provision for the breach, GAAP profit would have been $5.4 million, or $0.14 per share.
Analysts had predicted income of $0.23 per share, equal to earnings one year ago.
Heartland declined to comment on litigation but a spokesperson said that the company has managed to mitigate one of the costs of the breach. On the call, Carr accused competitors of telling lies about Heartland to win business and said that practice would have to stop.
The spokesperson clarified Carr’s statement in an e-mail to InternetNews.com. “We know of specific misleading statement[s] by competitors but we’re pleased to say that our aggressive efforts to stop this activity were successful and our competitors cooperated in reigning in their spirited sales people,” the spokesperson wrote.