One of the biggest challenges, particularly for small and medium businesses (SMB), is trying to anticipate and budget for the cost of a data breach. While larger, often publicly owned, corporations can sustain huge financial losses to litigation or regulatory penalties, organizations with less than $100 million in revenue cannot. Even with the leadership of the SMB becoming aware of the inevitability of an attack, they don’t understand what the potential costs could be and how to prepare for them. This may cause them to task their Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to estimate the cost of a breach for budgetary purposes. The CISO, understanding that addressing the breach issue starts with IT governance, may attempt to educate their company’s leadership on the tools necessary to help to prevent a breach. Both leaders face a difficult decision: what monies are put aside for data security and do we focus on prevention or recovery? Most would agree the answer is a combination of the two: for this exercise I will focus on the components of cost once the data breach has occurred. The four primary silos of cost are response and notification, litigation, regulatory fines and the negative impact to reputation. When the affected enterprise forecasts costs for a potential breach, it not only gives the company an idea of the financial burden it will incur but it also helps those affected to consider documenting the steps to take in the event a breach is discovered.
Notification, the first cost incurred, is the easiest to forecast. Most businesses have a good idea of who their customers are and how best to notify them. A good social media presence can simplify this as well as reduce total costs. After the breach is discovered, the first task is to try to discover which customers were affected. Once that is determined, the business needs to decide the best way to notify them. US Mail, email or social media are the most common methods. The most efficient process for each must be determined. Many states have laws around breach notification and timing, which need to be considered and understood as a part of the process. The larger the organization, and the associated breach, the more complicated this process becomes. In a recent breach of a large healthcare organization, deciding how to contact the affected customers took longer than it should have because the company wasn’t prepared for a breach of the magnitude they faced. The breach affected tens of millions of customers. It was decided that a conventional mail notification was required at a cost of several million dollars!
Litigation and regulatory penalties are similar and can be prepared for in the same way. While regulatory penalties can be better estimated up front, both costs can get out of control quickly. The best way to prepare for these types of costs are with Data Breach Insurance, also known as Cyber Liability Insurance. Cyber Liability Insurance provides coverage for the loss of both first-party and third-party data. This means that whether the data breach happens directly to your company or to a company whose data you are working with, the coverage will be in effect. While most of the time Cyber Liability Insurance is considered for the larger expenses, like lawsuits and regulatory penalties, the right plan can be used for all four types of aforementioned costs: notification, litigation, regulatory fines and damage to reputation.
The hardest to define, and many times the costliest, is the damage to the breached company’s reputation. In a recent study, the three occurrences that have the greatest impact on brand reputation are data breaches, inadequate customer service, and environmental disasters. Of these, the survey found that data breaches have the most negative impact on reputation. If the affected company is in the IT industry, and specifically IT security, the effects are likely to be devastating to the organization. The only trend that seems to be softening that damage is that breaches have become so common that people are more likely to disregard the notification. Greater frequency certainly is occurring, but it isn’t anything the affected company can include in their plan. What you must include in your plan is the message you will communicate with the public to lessen the negative consequences. This should include how you fixed the problem and how you plan to prevent additional breaches in the future. In a recent healthcare breach, the organization partnered with a well-known security platform to better protect patient records going forward.
Considering these four primary areas affected is critical to helping leadership determine the costs associated with a data breach. If you have any questions about determining the cost for your business, contact us today.
Contact us so we can learn more about the IT challenges with your organization.