- Robert Stines
The Expense of a Data Breach
Business executives and owners may not appreciate the pain (financially, mentally, and emotionally) that a data breach will cause. Ask any executive who has experienced a data breach and you will hear stories of the pandemonium and stress. After the dust settles (a bit), the expenses start to pile up. If you are wondering why a data breach is so expensive and where these expenses come from, then this blog post is for you.
When a breach is suspected or confirmed, the breached company has to determine what caused the breach, what and how much information was disclosed, and if the company's IT system is still compromised. Most important, to comply with state notification laws, the company has to determine if there has been unauthorized access to personally identifiable information. In-house IT specialists are probably not equipped to handle this type of investigation. Therefore, hiring an outside forensic company is usually necessary and costly.
After the company determines the "who, what, and when," the question becomes can the company salvage its IT network and system. In some situations, the IT specialist will simply need to shut down the system, purge all of the compromised files, reload any necessary operating systems, and hope that is enough to kick out the hacker. Unfortunately, this "purge" may result in the loss of valuable proprietary information. Sometimes, the system and computers are rendered inoperable, and requires new hardware and software. In other situations, the forensic and IT team cannot guarantee that the malware has been totally purged. Depending on the size of the company, the remediation process could be financially crippling.
Every state now has laws that require notification in the event of a data breach. The company should have immediately retained an attorney to assist with handling the breach. Depending on the industry (e.g., healthcare, financial, etc.) a company may also have to comply with federal statutes. Complying with the notification requirements can be costly. However, failing to comply with the notification laws may subject the company to statutory fines that accrue on a daily basis.
Depending on the different laws that govern the sector, a breached company may need to provide credit monitoring for all the individuals whose information was disclosed in the breach. Even without a law mandating this practice, it is probably a wise move to mitigate the reputational harm.
This should not be surprising. There are several class actions against companies that suffered data breaches. The people whose information was disclosed in the data breach will probably become members of class suing the company. For example, the Anthem data breach led to a class action and resulted in a $115 million settlement.
If the company's stock value decreased because of the breach, shareholders may file a securities class action against the company and its directors and officers. The securities class action against Yahoo is a good example. Eventually, the Yahoo class settled for $80 million.
In previous blog posts, I have discussed lawsuits where breached companies were forced to sue their insurance carriers to obtain coverage for the data breach.
Litigation expenses alone can bankrupt a smaller company.
Penalties and fines
In addition to individuals bringing lawsuits, the breached company may face fines and penalties from state and federal agencies. Companies in the United States could potentially face fines from one or more regulatory agencies, including the Department of Health and Human Services (which regulates breaches of medical data) the Federal Trade Commission, and the Federal Communications Commission.
State attorneys general may also seek to penalize the company for engaging in unfair and deceptive trade practices.
States may also impose fines for failing to comply with breach notification laws. In Florida, a violation of the breach notification law may result in a civil penalty not to exceed $500,000.
If a company cannot access its computers and network because of a data breach, the company cannot operate. If the company's IT specialist and forensic expert determine that the network is still compromised, no one will be allowed to access the network. Depending on how long it takes to determine the type of breach and how to remedy the situation, it could be days or weeks before operations are back to 100%. This all leads to business interruptions that result in lost income and lost profits. Some companies cannot survive a couple days of business interruption.
Some insurance policies cover losses due to business interruption, but typically the insurance is for interruption due to property damage such as a hurricane or fire. Business interruption due to a data breach is a fairly new concept and it is important that risk managers understand whether or not the company is covered for this type of loss.
Then there is the issue of loss of reputation that will lead to loss of business. Increased insurance premiums because of the huge expenses incurred as a result of the data breach. Greater regulatory scrutiny and the potential that employees will prefer to work for a company with a better reputation.
What to Do
Every company that relies on the Internet and computers to conduct business is subject to a data breach or hack. Whether it be through ransomware, distributed denial of service attacks, a phishing scheme that results in wiring funds to a fraudster, or the unauthorized disclosure of personally identifiable information.
From a purely financial perspective, it is good business to take reasonable precautions to prevent a data breach, and in the event of a data breach have a response team ready. When regulators, shareholders, and customers start asking questions, the company can honestly say "we took precautions, and had a plan." It might not save the day, but it will mitigate the situation and lower the expense.
Florida Cyber Lawyer ~ Robert Stines