There's something to be said about CYA. But it's not just you you're covering when you do that sort of thing. I think the problem is that corporate officials don't always realize (until you get to the stratospheric heights of management) that data loss and data theft is a monetary issue. 1s and 0s don't count for much. It's *just* information.

But if you start putting a dollar amount on the issue, it might help draw attention to your plight.

Here are the things I would start adding monetary values to: bad publicity, legal fees, paying for the customer's credit monitoring for the next X number of years, losing market share, re-training employees (or getting new ones) and the possible cost of hardware improvements (wireless credit card machines broadcasting in the clear, anyone?).

Hand them that invoice, and I guarantee they'll either think you're crazy or finally sit up and take notice.