We all hear the news reports about major data breaches. Most of us have even been personally affected to some degree by breaches at Target, Lowe’s, Home Depot, Anthem, Premera Blue Cross, etc. More and more we hear the warnings that no organization is too small to be a target for hackers and “it’s not IF you will be breached, but WHEN“.
Yet making a case to invest proactively to prevent breaches can still be a hard sell because the costs of breaches is not well understood. There are key questions to consider; What do you have to protect? Medical or financial data for clients or staff? Trade secrets or other proprietary information? Sensitive data that could cause reputational damage?
What is your level of risk? If you don’t know, assume your risk is high. Regular testing to identify and remediate vulnerabilities is critical to preventing simple known exploits from compromising your systems and exposing your organization.
What are the likely costs of a breach for your organization? This is key to making the business case for spending to avoid a breach. Calculate the types of costs you may incur:
- Investigation costs to confirm source and what has been compromised.
- Forensics data gathering to ensure that the vulnerability or malware is no longer a threat and properly document the incident in case legal action is required.
- Remediation to clean up the issues caused by the breach and put in protections that were missing that allowed the breach to happen (often controls and safeguards that should have already been in place).
- Notification and credit monitoring may also be required based on the type(s) of data exposed in the incident. HIPAA requires any incident involving 500 or more patient records to be reported to federal regulators, the media, and affected individuals. Individuals must be notified by first class mail (unless the individual has agreed to electronic notice) and multiple mailings could be required if more information comes to light after the initial notification. Postage alone for the Anthem breach was $40 million! Credit monitoring and/or identity theft services average $10 per month per affected individual.
- Fines and damages may be assessed against you, especially if it can be proven that you did not take proactive steps to protect data that you have been entrusted with. Healthcare fines that involve such willful neglect start at $1.5 million with settlements as high as $4.8 million. 3 class-action lawsuits were filed against Anthem in less than 24 hours after their breach. Target’s data breach costs have been estimated at a staggering $252 million…and counting. The Ponemon Institute’s study found the average cost of a data breach to be $5.5 million or $194 per compromised record.
- Loss of business. This encompasses everything from losses incurred during the breach and remediation period, to extra costs of handling inquiries from victims and auditors, and the income lost if victim’s leave you for a competitor. If your business relies on referrals, the loss of opportunity can be huge.