Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
What to Do About High Data Breach Costs
It's not always good to be Number One. According to a newly released report from the Ponemon Institute, the U.S. is the most costly country in the world in which to have a data breach. In its “2013 Cost of Data Breach: Global Analysis” study, Ponemon reported the total cost of a breach incident in the U.S. to be $5.4 million, or approximately $188 for every exposed record. (The study is available through Symantec at http://bit.ly/16j7W15.)
Lost business costs, such as abnormal turnover of customers, reputational harm and diminished goodwill, associated with a data breach averaged over $3.03 million in the U.S. Notification costs are a leading driver of total breach response costs, and giving notice too soon can raise that cost even higher, according to the report. Although the most expensive breaches were those caused by malicious attacks by hackers or criminal insiders, the majority of breaches ' 63% ' resulted from either negligence or system glitches.
Costs associated with data breaches were highest in heavily regulated industries, such as health care, financial and pharmaceutical businesses. The per capita cost was $233 for healthcare organizations, $215 for financial businesses, and $207 for pharmaceutical companies, all well above the overall mean cost of $136. Public sector organizations and retailers had the lowest per capita cost, coming in at $81 and $78 respectively.
Faced with continuing front-page stories of cyberattacks and data breaches, e-commerce firms must avoid a “who would want my data” approach to issues of data security and breaches, and instead adopt a “when, not if” mind set. The good news, as confirmed by the Ponemon study, is that implementing IT systems ' such as intrusion detection or protection systems ' and business processes to minimize and mitigate the risk of a data breach really pays off.
Risk Management
An internal risk management program, including the establishment of strong policies and procedures, training, and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs. Ponemon found that implementing solid data security practices translate into significant savings if a breach occurs. Having an in-place data breach response plan cut per record costs by approximately $42. Maintaining a strong security posture reduced costs by $34, and appointing a chief information security officer saved another $13.
Steps organizations should take to manage and mitigate the risks of a data breach include:
Review internal policies and procedures regularly to make sure they are current and compliant with the ever-changing statutory and regulatory framework governing confidential information. Forty-six states have laws dealing with notification and security requirements, and foreign laws must be incorporated into the policies and procedures of companies that do business outside of the U.S.
The policies and procedures must be distributed to, and followed by, employees.
A comprehensive incident response plan should be implemented and updated regularly. Having a plan in place before a breach incident occurs can substantially mitigate the costs and other harmful consequences of a breach.
A data security consultant should be retained to conduct a yearly security risk assessment to identify any vulnerability in processes and procedures for handling confidential data. Some laws, such as the Health Information Portability and Accountability Act (HIPAA), require periodic risk assessments.
Education of employees is critical to the success of any compliance program. All employees must be educated and trained regularly regarding those policies and procedures, and any applicable laws and regulations. Some laws, such as the Massachusetts Data Protection Law, 201 CMR 17.00, mandate these types of training programs. The value of adequate training cannot be overstated, particularly in light of the Ponemon finding employee negligence accounted for 33% of breach incidents.
Work closely with business partners to ensure the proper handling of confidential data. Vendors are the cause of at least one-third of all data security incidents, and Ponemon found that third-party error is the number one factor increasing the cost of a data breach. Contracts with vendors, franchisees, and other third parties should carefully address the issues of data security, compliance with relevant laws and industry requirements, breach response, indemnification, and insurance for data breaches.
Ensure that all data collection and sharing practices comply with your organization's privacy policy. Regulators, such as the Federal Trade Commission (FTC), are particularly attuned to this issue.
Consider retaining a chief information security officer to serve as an in-house watchdog over data security issues.
Cyberinsurance
Cyberinsurance can help organizations respond to and mitigate the potentially devastating consequences of a data breach. Most cyberinsurance policies provide invaluable assistance to help the insured respond to a breach, including first-party coverage for an attorney breach coach, forensic technicians, notification providers, credit monitoring services, crisis management professionals, and third-party liability coverage for legal defense costs and fines. Many insurers have experienced teams of professionals ready to spring into action in the crucial period directly following a breach event and to defend against any lawsuits that may arise from the breach. Cyberinsurance can provide a lifeline, particularly for small and midsize businesses, that are victimized by a data breach. (For more on cyberinsurance, see my article, “Cyberinsurance: Making the Policy Fit,” in the May 2013 issue of e-Commerce Law & Strategy.)
Conclusion
As confirmed by the Ponemon study, putting systems and procedures in place to improve data security and to respond to breach incidents substantially reduce the impact and negative consequences of a data breach. The stakes couldn't be higher, but taking a proactive approach can significantly mitigate the risks.
Judy Selby is a Partner at Baker Hostetler. She can be reached at [email protected].
It's not always good to be Number One. According to a newly released report from the Ponemon Institute, the U.S. is the most costly country in the world in which to have a data breach. In its “2013 Cost of Data Breach: Global Analysis” study, Ponemon reported the total cost of a breach incident in the U.S. to be $5.4 million, or approximately $188 for every exposed record. (The study is available through Symantec at http://bit.ly/16j7W15.)
Lost business costs, such as abnormal turnover of customers, reputational harm and diminished goodwill, associated with a data breach averaged over $3.03 million in the U.S. Notification costs are a leading driver of total breach response costs, and giving notice too soon can raise that cost even higher, according to the report. Although the most expensive breaches were those caused by malicious attacks by hackers or criminal insiders, the majority of breaches ' 63% ' resulted from either negligence or system glitches.
Costs associated with data breaches were highest in heavily regulated industries, such as health care, financial and pharmaceutical businesses. The per capita cost was $233 for healthcare organizations, $215 for financial businesses, and $207 for pharmaceutical companies, all well above the overall mean cost of $136. Public sector organizations and retailers had the lowest per capita cost, coming in at $81 and $78 respectively.
Faced with continuing front-page stories of cyberattacks and data breaches, e-commerce firms must avoid a “who would want my data” approach to issues of data security and breaches, and instead adopt a “when, not if” mind set. The good news, as confirmed by the Ponemon study, is that implementing IT systems ' such as intrusion detection or protection systems ' and business processes to minimize and mitigate the risk of a data breach really pays off.
Risk Management
An internal risk management program, including the establishment of strong policies and procedures, training, and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs. Ponemon found that implementing solid data security practices translate into significant savings if a breach occurs. Having an in-place data breach response plan cut per record costs by approximately $42. Maintaining a strong security posture reduced costs by $34, and appointing a chief information security officer saved another $13.
Steps organizations should take to manage and mitigate the risks of a data breach include:
Review internal policies and procedures regularly to make sure they are current and compliant with the ever-changing statutory and regulatory framework governing confidential information. Forty-six states have laws dealing with notification and security requirements, and foreign laws must be incorporated into the policies and procedures of companies that do business outside of the U.S.
The policies and procedures must be distributed to, and followed by, employees.
A comprehensive incident response plan should be implemented and updated regularly. Having a plan in place before a breach incident occurs can substantially mitigate the costs and other harmful consequences of a breach.
A data security consultant should be retained to conduct a yearly security risk assessment to identify any vulnerability in processes and procedures for handling confidential data. Some laws, such as the Health Information Portability and Accountability Act (HIPAA), require periodic risk assessments.
Education of employees is critical to the success of any compliance program. All employees must be educated and trained regularly regarding those policies and procedures, and any applicable laws and regulations. Some laws, such as the
Work closely with business partners to ensure the proper handling of confidential data. Vendors are the cause of at least one-third of all data security incidents, and Ponemon found that third-party error is the number one factor increasing the cost of a data breach. Contracts with vendors, franchisees, and other third parties should carefully address the issues of data security, compliance with relevant laws and industry requirements, breach response, indemnification, and insurance for data breaches.
Ensure that all data collection and sharing practices comply with your organization's privacy policy. Regulators, such as the Federal Trade Commission (FTC), are particularly attuned to this issue.
Consider retaining a chief information security officer to serve as an in-house watchdog over data security issues.
Cyberinsurance
Cyberinsurance can help organizations respond to and mitigate the potentially devastating consequences of a data breach. Most cyberinsurance policies provide invaluable assistance to help the insured respond to a breach, including first-party coverage for an attorney breach coach, forensic technicians, notification providers, credit monitoring services, crisis management professionals, and third-party liability coverage for legal defense costs and fines. Many insurers have experienced teams of professionals ready to spring into action in the crucial period directly following a breach event and to defend against any lawsuits that may arise from the breach. Cyberinsurance can provide a lifeline, particularly for small and midsize businesses, that are victimized by a data breach. (For more on cyberinsurance, see my article, “Cyberinsurance: Making the Policy Fit,” in the May 2013 issue of e-Commerce Law & Strategy.)
Conclusion
As confirmed by the Ponemon study, putting systems and procedures in place to improve data security and to respond to breach incidents substantially reduce the impact and negative consequences of a data breach. The stakes couldn't be higher, but taking a proactive approach can significantly mitigate the risks.
Judy Selby is a Partner at
How Secure Is the AI System Your Law Firm Is Using?
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
COVID-19 and Lease Negotiations: Early Termination Provisions
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
Authentic Communications Today Increase Success for Value-Driven Clients
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.