[BreachExchange] What Makes A Cyber Data Breach Expensive?
Destry Winant
destry at riskbasedsecurity.com
Wed Dec 19 09:20:51 EST 2018
https://www.corporatecomplianceinsights.com/what-makes-a-cyber-data-breach-expensive/
The Real Costs to Companies
People get emotional over cyber data breaches, and the media loves to
report on the latest hack attack that exposed millions of users’
information. Other than reputational damage (which is quickly
forgotten, given the 24/7 news cycle), why should risk managers,
executives and business owners care? Because it’s expensive. So
expensive that it could hurt profits for years.
Compliance departments, risk managers and executives may not
appreciate the financial damage that a data breach will cause. Ask any
company executive or risk manager who has experienced a data breach
and you will hear stories of disorder, the blame game, unanswered
questions and the expense. The disorder and expense increase if the
company did not have a data breach and incident response plan in place
before the cyber incident was discovered. Why? Because it is more
expensive to hire professionals and forensic experts in the midst of
the data breach than negotiating reasonable rates before the event.
Even after the breach is contained, the breached company may become
the target of investigations, regulatory fines, litigation costs,
reputational harm and lost profits that can affect the company’s
bottom line for years.
If you are wondering why a data breach is so expensive and where these
expenses come from, keep reading.
Investigation
When a breach is suspected or confirmed, the company has to determine
what caused the breach, what and how much information was disclosed
and if the company’s IT system is still compromised.
Most important, to comply with state notification laws, the company
has to determine if there has been unauthorized access to personally
identifiable information. In-house IT specialists are probably not
equipped to handle this type of investigation.
Best practice is to retain a forensic specialist before the breach and
agree to acceptable rates. It is significantly more expensive to
retain a forensic specialist while in the midst of data breach.
Remediation
After the company determines the “who, what and when,” the question
becomes can the company salvage its IT network and system. In some
situations, the IT specialist will simply need to shut down the
system, purge all of the compromised files, reload any necessary
operating systems and confirm (if they can) that the hacker’s access
to the system is blocked.
Unfortunately, this “purge” may result in the loss of valuable
proprietary information. Sometimes, the system and computers are
rendered inoperable and require new hardware and software. In other
situations, the forensic and IT team cannot guarantee that the malware
has been totally purged. Depending on the size of the company, the
remediation process could be financially crippling.
Notification
Every state now has laws that require notification in the event of a
data breach. After a confirmed data breach, the company should retain
a professional (probably an attorney) to assist with handling the
breach and navigating the breach notification laws. Depending on the
industry (e.g., health care, financial, etc.) a company may need to
comply with federal statutes and regulations.
Complying with the notification requirements can be costly. On the
other hand, failing to comply with the notification laws may subject
the company to statutory fines that accrue on a daily basis.
Companies that operate in Europe also need to comply with the General
Data Protection Regulation (GDPR), which is the EU law on data
protection and privacy for all individuals within the European Union
and the European Economic Area. Businesses must report any data
breaches within 72 hours if they have an adverse effect on user
privacy. In some cases, violators of the GDPR may be fined up to €20
million or up to 4 percent of the annual worldwide turnover of the
preceding financial year in case of an enterprise, whichever is
greater.
Credit Monitoring
Depending on the sector and applicable regulations, a breached company
may need to provide credit monitoring for all the individuals whose
information was disclosed in the breach.
Even without a law mandating credit monitoring, it is probably smart
to offer such a service to build some goodwill with customers and
mitigate the reputational harm.
Litigation
This should not be surprising. It is unfortunate that the breached
company is really the victim of a cyber incident resulting in a data
breach. Despite being the victim, the breached company will incur
additional expenses due to litigation costs, attorneys’ fees and the
possible payout of millions of dollars to clients, customers,
shareholders and government agencies.
There are several class actions against companies that suffered data
breaches (Yahoo, Anthem, Equifax, Sony). The people whose information
was disclosed in the data breach will probably become members of the
class suing the company.
If the company’s stock value decreased because of the breach,
shareholders may file a class action or a derivative lawsuit against
the company and its directors and officers. The securities class
action against Yahoo is a good example. Eventually, the Yahoo class
settled for $80 million.
There are many examples of insurance-related litigation that stemmed
from a data breach. Many companies have, or thought they had, cyber
insurance to provide indemnification in the event of a data breach.
Because cyber insurance is still in its infancy, many carriers find it
difficult to underwrite cyber risks. Carriers do not anticipate the
types of losses that result from a cyber incident and may challenge
whether a data breach is a covered loss. When the insurance carrier
denies coverage, there is typically a declaratory judgment action that
seeks a declaration from the court as to whether the carrier is
obligated to indemnify the company under the circumstances.
Penalties and Fines
In addition to individuals bringing lawsuits, the breached company may
face fines and penalties from state and federal agencies.
Companies in the United States could potentially face fines from one
or more regulatory agencies, including the Department of Health and
Human Services (which regulates breaches of medical data), the Federal
Trade Commission and the Federal Communications Commission.
State attorneys general may also seek to penalize the company for
engaging in unfair and deceptive trade practices.
States may also impose fines for failing to comply with breach
notification laws. In Florida, for example, a violation of the breach
notification law may result in a civil penalty not to exceed $500,000.
If the company collects, processes or transmits credit card data, then
it is governed by the PCI Data Security Standards, which is a set of
rules designed by the credit card brands to enforce card data
security. In the event of a data breach resulting in the disclosure of
credit card information, the company may have to pay PCI compliance
fines ranging from $5,000 to $100,000 a month.
Business Interruption
If a company cannot access its computers and network because of a data
breach, the company cannot operate. If the company’s IT specialist and
forensic expert determine that the network is compromised, access to
the network will be limited.
Depending on how long it takes to determine the type of breach and how
to remedy the situation, it could be days or weeks before operations
are back to 100 percent. This all leads to business interruptions that
result in lost income and lost profits.
Some companies cannot survive a couple days of business interruption.
Some insurance policies cover losses due to business interruption, but
typically the insurance is for interruption due to property damage,
such as a hurricane or fire. Business interruption due to a data
breach is a fairly new concept, and it is important that risk managers
understand whether or not the company is covered for this type of
loss.
What to Do
Every company that relies on the internet and computers to conduct
business is subject to a data breach or hack — whether it be through
ransomware, distributed denial of service attacks, a phishing scheme
that results in wiring funds to a fraudster or the unauthorized
disclosure of personally identifiable information.
>From a purely financial perspective, it is good business to take
reasonable precautions to prevent a data breach and, in the event of a
data breach, have a response team ready. When regulators, shareholders
and customers start asking questions, the company can honestly say,
“We took precautions and had a plan.” It might not save the day, but
it will mitigate the situation and lower the expense.
More information about the BreachExchange
mailing list