In one of our previous posts, we discussed how organizations can
protect themselves against a costly data breach
and briefly touched upon some of the expenses companies incur once they have been breached.
With federal data breach notification laws now in effect across the US, and similar laws in place in most European countries, organizations who suffer
a cyber-attack are legally required to report the breach, opening the door to negative publicity and a whole raft of associated costs.
Let's quickly run through these costs. For starters, organizations will have the initial breach investigation and repair costs, plus security update
expenses. On top of this, companies should factor in the cost of hiring a legal team to draft breach notification letters and manage the legal ramifications
of the attack. Not to mention a PR team to handle media inquiries and a customer hotline and webpage for information on the steps customers should take
after the breach.
These are typically the main costs you hear reported about when a breach takes place and they can add up quickly. But they pale in comparison to the
ongoing, often hidden costs of a breach. Providing 12-24 months credit monitoring to all the customers whose data has been compromised can mount up to
a large sum, not to mention lawsuits filed by affected customers or credit card companies who require reimbursement for replacing credit and debit cards
that were compromised by the breach. To make matters worse, if it is found that the organization's security was not up to the required industry standard,
then regulatory fines may be issued and cyber insurance claims may be denied.
Long term costs
Next there's the long term effects of a data breach that you won't hear about for months, maybe years later: damage in brand reputation, loss of sales
and devaluation of public stock.
Add all this up and we're not talking small change. On the surface,
Target faced a $250 million bill
after the details of 70 million customer credit cards
were compromised in late 2013. Thankfully, their insurance policy covered $90 million of these costs. Fast forward to August 2015 and this breach has
cost the company over $1.4 billion once you factor in ongoing legal costs and payouts to credit card companies, plus loss of sales revenue due to customers
avoiding the retailer after the breach. On top of this, that number doesn't take into effect the
$100 million Target is now investing
in upgrading all of its POS terminals to accept chip and pin credit cards to improve the security of in-store transactions.
Sony suffered a similar fate,
with repair and additional security costs of $15 million, but a revenue loss of $250 million. The US Office of Personnel
Management (OPM) agreed to
pay for 12 months free credit monitoring
for the initial 4.5 million victims of its recent breach in May which cost $20
million. Since the initial breach, it was discovered that some 22 million individuals had their personal data compromised, meaning this cost could
blow out to over $100 million alone, without
factoring in the upgrade of 30 year old systems and implementing appropriate security technologies.
Data breaches aren't just restricted to big, international companies and government agencies. 74% of respondents to a
recent survey reported loss of
customers after a data breach, with 59% facing potential litigation, and 33% facing potential fines from regulators.
These costs can be compounded if a business fails a security or compliance audit. The resulting fines and mandated security improvements by regulatory
bodies, and possible lawsuit(s) from customers (and employees) skyrocket. In 2013,
Anthem paid a fine of $1.7 million after a
data breach exposed the protected health information of over 600,000 customers as a result of inadequate security. Needless to say, it will be interesting
to see how their latest court battle plays out.
In another example, AT&T were ordered to pay $25 million by the
FCC after a data breach exposed information for more than 250,000 customers. The FCC did not
mince words when handing out the fine, saying that it would "not stand idly by when a carrier's lax data security practices expose personal information."
In the EU, fines for regulatory non-compliance can be up to 5% of global annual turnover.
If the US adopted similar punishments, they may need a cyber-security marathon rather than a sprint to get things in order. Federal agency web applications
failed to comply with security standards 76 percent
of the time. The Department of Veteran Affairs was the worst of all, having
failed cyber security audits for 16 straight years.
Thankfully, on the other side of the coin, regulators in the financial industry, typically the most regulated and security-savvy of all industries, are likely
to take further action to force banks
to upgrade their cybersecurity processes as attackers continue to find ways to penetrate institutions' defences.
In today's world where cyber-attacks are a daily occurrence, if a business fails an audit and then gets breached, you can also kiss any plausible legal defence,
along with any claims for cyber insurance, goodbye.
As 80-90% of business were affected by a data breach in the past 12 months (the numbers vary between different reports), cyber insurance is necessary to help
cover the costs associated with an attack. The cyber insurance market is a rapidly growing industry and is
expected to be worth around $10 billion annually by
2020. With more cyber-attacks comes more cyber insurance claims. And with more claims, comes increased premiums and more stringent requirements. Cyber insurance
won't cover you if you fail an audit or don't meet basic cyber security criteria. In what is a growing trend,
a number of claims are
being denied due to lack of adequate security.
As Philip Lieberman says
- "relying on cyber-insurance when your defences are actually negligent will increasingly become unsustainable - and unavailable."
Lawsuits are also on the rise. The US Office of Personnel Management is being
sued for $1 billion after its data breach. Target has set aside
$10 million for customers who
have fallen victim to credit card fraud after they were hacked. Additionally, Target and MasterCard recently agreed on
a fee of $20 million to
cover the cost of replacing all the credit cards compromised as part of the breach. A similar figure is expected to be paid to Visa.
Adobe and Home Depot both also faced significant legal costs after their respective breaches in 2013.
The healthcare sector has been hard hit of late, with
five major data breaches
occurring that have affected more than 100 million Americans. Health insurer Premera
was slapped with five separate lawsuits after a data breach in March compromised the details of 11 million customers, most notably because three weeks before the
breach was discovered, federal auditors warned
the company that its network-security procedures were inadequate. Fellow health insurer Anthem currently has a
case before the courts after
the massive breach earlier this year that saw some 80 million customer records hacked. (A detailed article on the spate of cyber-attacks on
the healthcare industry can be found at Information Security Buzz).
Until recently, organizations have only faced litigation from those affected by a data breach who have then fallen victim to credit card or identity fraud as a result
of the breach (this changed with the Adobe case). Those customers whose details were stolen, but not
used have had their cases dismissed after successful motions to dismiss were filed by the companies.
In the past, only a low percentage of victims have been successful plaintiffs, as once a breach is discovered, customers can cancel their credit card and request a new
one, which limited the number of resultant fraudulent transactions. However, with the alarming increase in attacks on businesses that store personally identifiable
information (PII) such as addresses, dates of birth, social security numbers, etc. – things that aren't easily replaceable - customers could fall victim months, even
years down the line.
As a result, things are changing. In the past month, Neiman Marcus and
Sony have both had motion to
dismiss cases denied by the courts and will now face class action suits from defendants whose personal data was compromised in the respective breaches. Both courts
ruled that even if victims had not yet suffered as a result of the respective breaches, they will remain vulnerable to identity theft for many years due the companies
failing to protect their PII. Both cases will go to trial either later this year or in early 2016.
Whatever the outcome in these upcoming cases, you can be assured that the cost of a data breach is significant. The only way for a business to adequately protect themselves
from the mountain of costs associated with a breach is to ensure their cyber security policies meet and exceed industry standards and to invest in best-in-class cyber security
solutions to limit the damage.