Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
What to Do About High Data Breach Costs
It's not always good to be Number One. According to a newly released report from the Ponemon Institute, the U.S. is the most costly country in the world in which to have a data breach. In its “2013 Cost of Data Breach: Global Analysis” study, Ponemon reported the total cost of a breach incident in the U.S. to be $5.4 million, or approximately $188 for every exposed record. (The study is available through Symantec at http://bit.ly/16j7W15.)
Lost business costs, such as abnormal turnover of customers, reputational harm and diminished goodwill, associated with a data breach averaged over $3.03 million in the U.S. Notification costs are a leading driver of total breach response costs, and giving notice too soon can raise that cost even higher, according to the report. Although the most expensive breaches were those caused by malicious attacks by hackers or criminal insiders, the majority of breaches ' 63% ' resulted from either negligence or system glitches.
Costs associated with data breaches were highest in heavily regulated industries, such as health care, financial and pharmaceutical businesses. The per capita cost was $233 for healthcare organizations, $215 for financial businesses, and $207 for pharmaceutical companies, all well above the overall mean cost of $136. Public sector organizations and retailers had the lowest per capita cost, coming in at $81 and $78 respectively.
Faced with continuing front-page stories of cyberattacks and data breaches, e-commerce firms must avoid a “who would want my data” approach to issues of data security and breaches, and instead adopt a “when, not if” mind set. The good news, as confirmed by the Ponemon study, is that implementing IT systems ' such as intrusion detection or protection systems ' and business processes to minimize and mitigate the risk of a data breach really pays off.
Risk Management
An internal risk management program, including the establishment of strong policies and procedures, training, and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs. Ponemon found that implementing solid data security practices translate into significant savings if a breach occurs. Having an in-place data breach response plan cut per record costs by approximately $42. Maintaining a strong security posture reduced costs by $34, and appointing a chief information security officer saved another $13.
Steps organizations should take to manage and mitigate the risks of a data breach include:
Review internal policies and procedures regularly to make sure they are current and compliant with the ever-changing statutory and regulatory framework governing confidential information. Forty-six states have laws dealing with notification and security requirements, and foreign laws must be incorporated into the policies and procedures of companies that do business outside of the U.S.
The policies and procedures must be distributed to, and followed by, employees.
A comprehensive incident response plan should be implemented and updated regularly. Having a plan in place before a breach incident occurs can substantially mitigate the costs and other harmful consequences of a breach.
A data security consultant should be retained to conduct a yearly security risk assessment to identify any vulnerability in processes and procedures for handling confidential data. Some laws, such as the Health Information Portability and Accountability Act (HIPAA), require periodic risk assessments.
Education of employees is critical to the success of any compliance program. All employees must be educated and trained regularly regarding those policies and procedures, and any applicable laws and regulations. Some laws, such as the Massachusetts Data Protection Law, 201 CMR 17.00, mandate these types of training programs. The value of adequate training cannot be overstated, particularly in light of the Ponemon finding employee negligence accounted for 33% of breach incidents.
Work closely with business partners to ensure the proper handling of confidential data. Vendors are the cause of at least one-third of all data security incidents, and Ponemon found that third-party error is the number one factor increasing the cost of a data breach. Contracts with vendors, franchisees, and other third parties should carefully address the issues of data security, compliance with relevant laws and industry requirements, breach response, indemnification, and insurance for data breaches.
Ensure that all data collection and sharing practices comply with your organization's privacy policy. Regulators, such as the Federal Trade Commission (FTC), are particularly attuned to this issue.
Consider retaining a chief information security officer to serve as an in-house watchdog over data security issues.
Cyberinsurance
Cyberinsurance can help organizations respond to and mitigate the potentially devastating consequences of a data breach. Most cyberinsurance policies provide invaluable assistance to help the insured respond to a breach, including first-party coverage for an attorney breach coach, forensic technicians, notification providers, credit monitoring services, crisis management professionals, and third-party liability coverage for legal defense costs and fines. Many insurers have experienced teams of professionals ready to spring into action in the crucial period directly following a breach event and to defend against any lawsuits that may arise from the breach. Cyberinsurance can provide a lifeline, particularly for small and midsize businesses, that are victimized by a data breach. (For more on cyberinsurance, see my article, “Cyberinsurance: Making the Policy Fit,” in the May 2013 issue of e-Commerce Law & Strategy.)
Conclusion
As confirmed by the Ponemon study, putting systems and procedures in place to improve data security and to respond to breach incidents substantially reduce the impact and negative consequences of a data breach. The stakes couldn't be higher, but taking a proactive approach can significantly mitigate the risks.
It's not always good to be Number One. According to a newly released report from the Ponemon Institute, the U.S. is the most costly country in the world in which to have a data breach. In its “2013 Cost of Data Breach: Global Analysis” study, Ponemon reported the total cost of a breach incident in the U.S. to be $5.4 million, or approximately $188 for every exposed record. (The study is available through Symantec at http://bit.ly/16j7W15.)
Lost business costs, such as abnormal turnover of customers, reputational harm and diminished goodwill, associated with a data breach averaged over $3.03 million in the U.S. Notification costs are a leading driver of total breach response costs, and giving notice too soon can raise that cost even higher, according to the report. Although the most expensive breaches were those caused by malicious attacks by hackers or criminal insiders, the majority of breaches ' 63% ' resulted from either negligence or system glitches.
Costs associated with data breaches were highest in heavily regulated industries, such as health care, financial and pharmaceutical businesses. The per capita cost was $233 for healthcare organizations, $215 for financial businesses, and $207 for pharmaceutical companies, all well above the overall mean cost of $136. Public sector organizations and retailers had the lowest per capita cost, coming in at $81 and $78 respectively.
Faced with continuing front-page stories of cyberattacks and data breaches, e-commerce firms must avoid a “who would want my data” approach to issues of data security and breaches, and instead adopt a “when, not if” mind set. The good news, as confirmed by the Ponemon study, is that implementing IT systems ' such as intrusion detection or protection systems ' and business processes to minimize and mitigate the risk of a data breach really pays off.
Risk Management
An internal risk management program, including the establishment of strong policies and procedures, training, and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs. Ponemon found that implementing solid data security practices translate into significant savings if a breach occurs. Having an in-place data breach response plan cut per record costs by approximately $42. Maintaining a strong security posture reduced costs by $34, and appointing a chief information security officer saved another $13.
Steps organizations should take to manage and mitigate the risks of a data breach include:
Review internal policies and procedures regularly to make sure they are current and compliant with the ever-changing statutory and regulatory framework governing confidential information. Forty-six states have laws dealing with notification and security requirements, and foreign laws must be incorporated into the policies and procedures of companies that do business outside of the U.S.
The policies and procedures must be distributed to, and followed by, employees.
A comprehensive incident response plan should be implemented and updated regularly. Having a plan in place before a breach incident occurs can substantially mitigate the costs and other harmful consequences of a breach.
A data security consultant should be retained to conduct a yearly security risk assessment to identify any vulnerability in processes and procedures for handling confidential data. Some laws, such as the Health Information Portability and Accountability Act (HIPAA), require periodic risk assessments.
Education of employees is critical to the success of any compliance program. All employees must be educated and trained regularly regarding those policies and procedures, and any applicable laws and regulations. Some laws, such as the
Work closely with business partners to ensure the proper handling of confidential data. Vendors are the cause of at least one-third of all data security incidents, and Ponemon found that third-party error is the number one factor increasing the cost of a data breach. Contracts with vendors, franchisees, and other third parties should carefully address the issues of data security, compliance with relevant laws and industry requirements, breach response, indemnification, and insurance for data breaches.
Ensure that all data collection and sharing practices comply with your organization's privacy policy. Regulators, such as the Federal Trade Commission (FTC), are particularly attuned to this issue.
Consider retaining a chief information security officer to serve as an in-house watchdog over data security issues.
Cyberinsurance
Cyberinsurance can help organizations respond to and mitigate the potentially devastating consequences of a data breach. Most cyberinsurance policies provide invaluable assistance to help the insured respond to a breach, including first-party coverage for an attorney breach coach, forensic technicians, notification providers, credit monitoring services, crisis management professionals, and third-party liability coverage for legal defense costs and fines. Many insurers have experienced teams of professionals ready to spring into action in the crucial period directly following a breach event and to defend against any lawsuits that may arise from the breach. Cyberinsurance can provide a lifeline, particularly for small and midsize businesses, that are victimized by a data breach. (For more on cyberinsurance, see my article, “Cyberinsurance: Making the Policy Fit,” in the May 2013 issue of e-Commerce Law & Strategy.)
Conclusion
As confirmed by the Ponemon study, putting systems and procedures in place to improve data security and to respond to breach incidents substantially reduce the impact and negative consequences of a data breach. The stakes couldn't be higher, but taking a proactive approach can significantly mitigate the risks.
Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace
Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.
Is Google Search Dead? How AI Is Reshaping Search and SEO
This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.
While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum
For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.
Revolutionizing Workplace Design: A Perspective from Gray Reed
In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.
From DeepSeek to Distillation: Protecting IP In An AI World
Protection against unauthorized model distillation is an emerging issue within the longstanding theme of safeguarding intellectual property. This article examines the legal protections available under the current legal framework and explore why patents may serve as a crucial safeguard against unauthorized distillation.