ALM Properties, Inc.
Page printed from: The Legal Intelligencer
Select 'Print' in your browser menu to print this document.
What to Do About High Data Breach CostsStudy says U.S. is No. 1 in data breach costs, but there are mitigating strategies to apply.
It's not always good to be Number One. According to a newly released report from the Ponemon Institute, the U.S. is the most costly country in the world in which to have a data breach.
2013-06-24 12:00:00 AM
It's not always good to be Number One. According to a newly released report from the Ponemon Institute, the U.S. is the most costly country in the world in which to have a data breach. In its "2013 Cost of Data Breach: Global Analysis" study, Ponemon reported the total cost of a breach incident in the U.S. to be $5.4 million, or approximately $188 for every exposed record.
Lost business costs, such as abnormal turnover of customers, reputational harm and diminished goodwill, associated with a data breach averaged over $3.03 million in the U.S. Notification costs are a leading driver of total breach response costs, and giving notice too soon can raise that cost even higher, according to the report. Although the most expensive breaches were those caused by malicious attacks by hackers or criminal insiders, the majority of breaches — 63 percent — resulted from either negligence or system glitches.
Costs associated with data breaches were highest in heavily regulated industries, such as health care, financial, and pharmaceutical businesses. The per capita cost was $233 for healthcare organizations, $215 for financial businesses, and $207 for pharmaceutical companies, all well above the overall mean cost of $136. Public sector organizations and retailers had the lowest per capita cost, coming in at $81 and $78 respectively.
Faced with continuing front-page stories of cyberattacks and data breaches, all entities must avoid a "who would want my data" approach to issues of data security and breaches, and instead adopt a "when, not if" mind set. The good news, as confirmed by the Ponemon study, is that implementing robust IT systems — such as intrusion detection or protection systems — and business processes to minimize and mitigate the risk of a data breach really pays off.
An internal risk management program, including the establishment of strong policies and procedures, training, and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs. Ponemon found that implementing solid data security practices translate into significant savings if a breach occurs. Having an in-place data breach response plan cut per record costs by approximately $42. Maintaining a strong security posture reduced costs by $34, and appointing a chief information security officer saved another $13.
Steps organization should take to manage and mitigate the risks of a data breach include:
• Review internal policies and procedures regularly to make sure they are current and compliant with the ever-changing statutory and regulatory framework governing confidential information. Forty-six states have laws dealing with notification and security requirements, and foreign laws must be incorporated into the policies and procedures of companies that do business outside of the U.S.
• The policies and procedures must be distributed to, and followed by, employees.
• A comprehensive incident response plan should be implemented and updated regularly. Having a plan in place before a breach incident occurs can substantially mitigate the costs and other harmful consequences of a breach.
• A data security consultant should be retained to conduct a yearly security risk assessment to identify any vulnerability in processes and procedures for handling confidential data. Some laws, such as the Health Information Portability and Accountability Act (HIPAA), require periodic risk assessments.
• Education of employees is critical to the success of any compliance program. All employees must be educated and trained regularly regarding those policies and procedures, and any applicable laws and regulations. Some laws, such as the Massachusetts Data Protection Law 201 CMR 17.00, mandate these types of training programs. The value of adequate training cannot be overstated, particularly in light of the Ponemon finding employee negligence accounted for 33 percent of breach incidents.
• Work closely with business partners to ensure the proper handling of confidential data. Vendors are the cause of at least 1/3 of all data security incidents, and Ponemon found that third-party error is the number one factor increasing the cost of a data breach. Contracts with vendors, franchisees, and other third parties should carefully address the issues of data security, compliance with relevant laws and industry requirements, breach response, indemnification, and insurance for data breaches.
• Consider retaining a chief information security officer to serve as an in-house watchdog over data security issues.
Cyberinsurance can help organizations respond to and mitigate the potentially devastating consequences of a data breach. Most cyberinsurance policies provide invaluable assistance to help the insured respond to a breach, including first-party coverage for an attorney breach coach, forensic technicians, notification providers, credit monitoring services, crisis management professionals, and third-party liability coverage for legal defense costs and fines. Many insurers have experienced teams of professionals ready to spring into action in the crucial period directly following a breach event and to defend against any lawsuits that may arise from the breach. Cyberinsurance can provide a lifeline, particularly for small and midsize businesses, that are victimized by a data breach.
As confirmed by the Ponemon study, putting systems and procedures in place to improve data security and to respond to breach incidents substantially reduce the impact and negative consequences of a data breach. The stakes couldn't be higher, but taking a proactive approach can significantly mitigate the risks.
Judy Selby is a partner at Baker & Hostetler. Email her at firstname.lastname@example.org.