Legal Ramifications of Data Breaches

August 17, 2015 By Andrew Roberts

In one of our previous posts, we discussed how organizations can protect themselves against a costly data breach and briefly touched upon some of the expenses companies incur once they have been breached.

With federal data breach notification laws now in effect across the US, and similar laws in place in most European countries, organizations who suffer a cyber-attack are legally required to report the breach, opening the door to negative publicity and a whole raft of associated costs.

Let's quickly run through these costs. For starters, organizations will have the initial breach investigation and repair costs, plus security update expenses. On top of this, companies should factor in the cost of hiring a legal team to draft breach notification letters and manage the legal ramifications of the attack. Not to mention a PR team to handle media inquiries and a customer hotline and webpage for information on the steps customers should take after the breach.

These are typically the main costs you hear reported about when a breach takes place and they can add up quickly. But they pale in comparison to the ongoing, often hidden costs of a breach. Providing 12-24 months credit monitoring to all the customers whose data has been compromised can mount up to a large sum, not to mention lawsuits filed by affected customers or credit card companies who require reimbursement for replacing credit and debit cards that were compromised by the breach. To make matters worse, if it is found that the organization's security was not up to the required industry standard, then regulatory fines may be issued and cyber insurance claims may be denied.

Long term costs

Next there's the long term effects of a data breach that you won't hear about for months, maybe years later: damage in brand reputation, loss of sales and devaluation of public stock.

Add all this up and we're not talking small change. On the surface, Target faced a $250 million bill after the details of 70 million customer credit cards were compromised in late 2013. Thankfully, their insurance policy covered $90 million of these costs. Fast forward to August 2015 and this breach has cost the company over $1.4 billion once you factor in ongoing legal costs and payouts to credit card companies, plus loss of sales revenue due to customers avoiding the retailer after the breach. On top of this, that number doesn't take into effect the $100 million Target is now investing in upgrading all of its POS terminals to accept chip and pin credit cards to improve the security of in-store transactions.

Sony suffered a similar fate, with repair and additional security costs of $15 million, but a revenue loss of $250 million. The US Office of Personnel Management (OPM) agreed to pay for 12 months free credit monitoring for the initial 4.5 million victims of its recent breach in May which cost $20 million. Since the initial breach, it was discovered that some 22 million individuals had their personal data compromised, meaning this cost could blow out to over $100 million alone, without factoring in the upgrade of 30 year old systems and implementing appropriate security technologies.

Government fines

Data breaches aren't just restricted to big, international companies and government agencies. 74% of respondents to a recent survey reported loss of customers after a data breach, with 59% facing potential litigation, and 33% facing potential fines from regulators.

These costs can be compounded if a business fails a security or compliance audit. The resulting fines and mandated security improvements by regulatory bodies, and possible lawsuit(s) from customers (and employees) skyrocket. In 2013, Anthem paid a fine of $1.7 million after a data breach exposed the protected health information of over 600,000 customers as a result of inadequate security. Needless to say, it will be interesting to see how their latest court battle plays out.

In another example, AT&T were ordered to pay $25 million by the FCC after a data breach exposed information for more than 250,000 customers. The FCC did not mince words when handing out the fine, saying that it would "not stand idly by when a carrier's lax data security practices expose personal information."

In the EU, fines for regulatory non-compliance can be up to 5% of global annual turnover.

If the US adopted similar punishments, they may need a cyber-security marathon rather than a sprint to get things in order. Federal agency web applications failed to comply with security standards 76 percent of the time. The Department of Veteran Affairs was the worst of all, having failed cyber security audits for 16 straight years.

Insurance costs

Thankfully, on the other side of the coin, regulators in the financial industry, typically the most regulated and security-savvy of all industries, are likely to take further action to force banks to upgrade their cybersecurity processes as attackers continue to find ways to penetrate institutions' defences.

In today's world where cyber-attacks are a daily occurrence, if a business fails an audit and then gets breached, you can also kiss any plausible legal defence, along with any claims for cyber insurance, goodbye.

As 80-90% of business were affected by a data breach in the past 12 months (the numbers vary between different reports), cyber insurance is necessary to help cover the costs associated with an attack. The cyber insurance market is a rapidly growing industry and is expected to be worth around $10 billion annually by 2020. With more cyber-attacks comes more cyber insurance claims. And with more claims, comes increased premiums and more stringent requirements. Cyber insurance won't cover you if you fail an audit or don't meet basic cyber security criteria. In what is a growing trend, a number of claims are being denied due to lack of adequate security.

As Philip Lieberman says - "relying on cyber-insurance when your defences are actually negligent will increasingly become unsustainable - and unavailable."

Lawsuit costs

Lawsuits are also on the rise. The US Office of Personnel Management is being sued for $1 billion after its data breach. Target has set aside $10 million for customers who have fallen victim to credit card fraud after they were hacked. Additionally, Target and MasterCard recently agreed on a fee of $20 million to cover the cost of replacing all the credit cards compromised as part of the breach. A similar figure is expected to be paid to Visa.

Adobe and Home Depot both also faced significant legal costs after their respective breaches in 2013.

The healthcare sector has been hard hit of late, with five major data breaches occurring that have affected more than 100 million Americans. Health insurer Premera was slapped with five separate lawsuits after a data breach in March compromised the details of 11 million customers, most notably because three weeks before the breach was discovered, federal auditors warned the company that its network-security procedures were inadequate. Fellow health insurer Anthem currently has a case before the courts after the massive breach earlier this year that saw some 80 million customer records hacked. (A detailed article on the spate of cyber-attacks on the healthcare industry can be found at Information Security Buzz).

Until recently, organizations have only faced litigation from those affected by a data breach who have then fallen victim to credit card or identity fraud as a result of the breach (this changed with the Adobe case). Those customers whose details were stolen, but not used have had their cases dismissed after successful motions to dismiss were filed by the companies.

In the past, only a low percentage of victims have been successful plaintiffs, as once a breach is discovered, customers can cancel their credit card and request a new one, which limited the number of resultant fraudulent transactions. However, with the alarming increase in attacks on businesses that store personally identifiable information (PII) such as addresses, dates of birth, social security numbers, etc. things that aren't easily replaceable - customers could fall victim months, even years down the line.

As a result, things are changing. In the past month, Neiman Marcus and Sony have both had motion to dismiss cases denied by the courts and will now face class action suits from defendants whose personal data was compromised in the respective breaches. Both courts ruled that even if victims had not yet suffered as a result of the respective breaches, they will remain vulnerable to identity theft for many years due the companies failing to protect their PII. Both cases will go to trial either later this year or in early 2016.

Whatever the outcome in these upcoming cases, you can be assured that the cost of a data breach is significant. The only way for a business to adequately protect themselves from the mountain of costs associated with a breach is to ensure their cyber security policies meet and exceed industry standards and to invest in best-in-class cyber security solutions to limit the damage.