Shostack + Friends Blog Archive


Popping pills

Breach disclosure foes say that notifying those whose personal information may have been revealed in many breaches is costly, and often not commensurate with actual risk to consumers. A well-written example [pdf] can be had from the Political and Economic Research Council, which reports that direct notification costs are about $2.00 per notified person.
So, today a company that sells pain pills is recalling them because
200 out of 70 million tested contained metal shards that could cause intestinal
discomfort or tiny mouth cuts. This discovery was made as part of the investigation of a production line machine that was wearing unexpectedly rapidly.
Direct costs of the recall are $667,000, according to SEC filings by the firm, Perrigo.
11 million bottles of various sizes are involved. Assuming that the
average bottle capacity is 100 capsules (which I feel is an underestimate), this is about one billion capsules.
If the factory observed contamination rate is correct, then about 2857 capsules will contain shards.
The direct notification cost per shard is thus $236.
Meanwhile, the stock price was off 5.6%, for a market cap loss of $92.5 million.
It’s interesting that there is intense opposition in some quarters to breach notification requirements, where direct costs to notify are in the two buck per victim range, and ambiguous impact on share prices, yet little argument against recalls (and the attendant costs) in situations such as the one described above.

3 comments on "Popping pills"

  • David Brodbeck says:

    I think it’s a matter of perceived risk. Companies have been ruined in the past by contaminated medications, because trust is so vitally important when people are buying pills. Maybe companies won’t see a benefit in breach notification until there’s a real danger people will stop dealing with companies that lose their information and then don’t tell them.

  • Josh says:

    Hmmph. If the information about me isn’t worth the cost of notifying me when it’s misplaced, then don’t keep the information. Why should I care what economists think? I like being my irrational self.

  • me says:

    well i dont like the idea of metal shards in pills. you expect that to be safe. pain pills: sick people take them, junkies take them in quantity, babies suck or swallow them. vulnerable peole don’t need more risks, and that $92 mill- not ‘real’ money. its just nonsense. they wont go out of business, and their reputation wont suffer as much as it would if there was just ONE headline about a baby or elderly person with a cut stomach.

Comments are closed.