Breach disclosure foes say that notifying those whose personal information may have been revealed in many breaches is costly, and often not commensurate with actual risk to consumers. A well-written example [pdf] can be had from the Political and Economic Research Council, which reports that direct notification costs are about $2.00 per notified person.
So, today a company that sells pain pills is recalling them because
200 out of 70 million tested contained metal shards that could cause intestinal
discomfort or tiny mouth cuts. This discovery was made as part of the investigation of a production line machine that was wearing unexpectedly rapidly.
Direct costs of the recall are $667,000, according to SEC filings by the firm, Perrigo.
11 million bottles of various sizes are involved. Assuming that the
average bottle capacity is 100 capsules (which I feel is an underestimate), this is about one billion capsules.
If the factory observed contamination rate is correct, then about 2857 capsules will contain shards.
The direct notification cost per shard is thus $236.
Meanwhile, the stock price was off 5.6%, for a market cap loss of $92.5 million.
It’s interesting that there is intense opposition in some quarters to breach notification requirements, where direct costs to notify are in the two buck per victim range, and ambiguous impact on share prices, yet little argument against recalls (and the attendant costs) in situations such as the one described above.