No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

What Makes a Cyber Data Breach Expensive?

by Robert Stines
December 18, 2018
in Featured, Risk
data breach words on blue background

The Real Costs to Companies

People get emotional over cyber data breaches, and the media loves to report on the latest hack attack that exposed millions of users’ information. Other than reputational damage (which is quickly forgotten, given the 24/7 news cycle), why should risk managers, executives and business owners care? Because it’s expensive. So expensive that it could hurt profits for years.

Compliance departments, risk managers and executives may not appreciate the financial damage that a data breach will cause. Ask any company executive or risk manager who has experienced a data breach and you will hear stories of disorder, the blame game, unanswered questions and the expense. The disorder and expense increase if the company did not have a data breach and incident response plan in place before the cyber incident was discovered. Why? Because it is more expensive to hire professionals and forensic experts in the midst of the data breach than negotiating reasonable rates before the event.

Even after the breach is contained, the breached company may become the target of investigations, regulatory fines, litigation costs, reputational harm and lost profits that can affect the company’s bottom line for years.

If you are wondering why a data breach is so expensive and where these expenses come from, keep reading.

Investigation

When a breach is suspected or confirmed, the company has to determine what caused the breach, what and how much information was disclosed and if the company’s IT system is still compromised.

Most important, to comply with state notification laws, the company has to determine if there has been unauthorized access to personally identifiable information. In-house IT specialists are probably not equipped to handle this type of investigation.

Best practice is to retain a forensic specialist before the breach and agree to acceptable rates. It is significantly more expensive to retain a forensic specialist while in the midst of data breach.

Remediation

After the company determines the “who, what and when,” the question becomes can the company salvage its IT network and system. In some situations, the IT specialist will simply need to shut down the system, purge all of the compromised files, reload any necessary operating systems and confirm (if they can) that the hacker’s access to the system is blocked.

Unfortunately, this “purge” may result in the loss of valuable proprietary information. Sometimes, the system and computers are rendered inoperable and require new hardware and software. In other situations, the forensic and IT team cannot guarantee that the malware has been totally purged. Depending on the size of the company, the remediation process could be financially crippling.

Notification

Every state now has laws that require notification in the event of a data breach. After a confirmed data breach, the company should retain a professional (probably an attorney) to assist with handling the breach and navigating the breach notification laws. Depending on the industry (e.g., health care, financial, etc.) a company may need to comply with federal statutes and regulations.

Complying with the notification requirements can be costly. On the other hand, failing to comply with the notification laws may subject the company to statutory fines that accrue on a daily basis.

Companies that operate in Europe also need to comply with the General Data Protection Regulation (GDPR), which is the EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4 percent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

Credit Monitoring

Depending on the sector and applicable regulations, a breached company may need to provide credit monitoring for all the individuals whose information was disclosed in the breach.

Even without a law mandating credit monitoring, it is probably smart to offer such a service to build some goodwill with customers and mitigate the reputational harm.

Litigation

This should not be surprising. It is unfortunate that the breached company is really the victim of a cyber incident resulting in a data breach. Despite being the victim, the breached company will incur additional expenses due to litigation costs, attorneys’ fees and the possible payout of millions of dollars to clients, customers, shareholders and government agencies.

There are several class actions against companies that suffered data breaches (Yahoo, Anthem, Equifax, Sony). The people whose information was disclosed in the data breach will probably become members of the class suing the company.

If the company’s stock value decreased because of the breach, shareholders may file a class action or a derivative lawsuit against the company and its directors and officers. The securities class action against Yahoo is a good example. Eventually, the Yahoo class settled for $80 million.

There are many examples of insurance-related litigation that stemmed from a data breach. Many companies have, or thought they had, cyber insurance to provide indemnification in the event of a data breach. Because cyber insurance is still in its infancy, many carriers find it difficult to underwrite cyber risks. Carriers do not anticipate the types of losses that result from a cyber incident and may challenge whether a data breach is a covered loss. When the insurance carrier denies coverage, there is typically a declaratory judgment action that seeks a declaration from the court as to whether the carrier is obligated to indemnify the company under the circumstances.

Penalties and Fines

In addition to individuals bringing lawsuits, the breached company may face fines and penalties from state and federal agencies.

Companies in the United States could potentially face fines from one or more regulatory agencies, including the Department of Health and Human Services (which regulates breaches of medical data), the Federal Trade Commission and the Federal Communications Commission.

State attorneys general may also seek to penalize the company for engaging in unfair and deceptive trade practices.

States may also impose fines for failing to comply with breach notification laws. In Florida, for example, a violation of the breach notification law may result in a civil penalty not to exceed $500,000.

If the company collects, processes or transmits credit card data, then it is governed by the PCI Data Security Standards, which is a set of rules designed by the credit card brands to enforce card data security. In the event of a data breach resulting in the disclosure of credit card information, the company may have to pay PCI compliance fines ranging from $5,000 to $100,000 a month.

Business Interruption

If a company cannot access its computers and network because of a data breach, the company cannot operate. If the company’s IT specialist and forensic expert determine that the network is compromised, access to the network will be limited.

Depending on how long it takes to determine the type of breach and how to remedy the situation, it could be days or weeks before operations are back to 100 percent. This all leads to business interruptions that result in lost income and lost profits.

Some companies cannot survive a couple days of business interruption.

Some insurance policies cover losses due to business interruption, but typically the insurance is for interruption due to property damage, such as a hurricane or fire. Business interruption due to a data breach is a fairly new concept, and it is important that risk managers understand whether or not the company is covered for this type of loss.

What to Do

Every company that relies on the internet and computers to conduct business is subject to a data breach or hack — whether it be through ransomware, distributed denial of service attacks, a phishing scheme that results in wiring funds to a fraudster or the unauthorized disclosure of personally identifiable information.

From a purely financial perspective, it is good business to take reasonable precautions to prevent a data breach and, in the event of a data breach, have a response team ready. When regulators, shareholders and customers start asking questions, the company can honestly say, “We took precautions and had a plan.” It might not save the day, but it will mitigate the situation and lower the expense.


Tags: Data BreachGDPRPayment Card Industry Data Security Standard (PCI DSS)
Previous Post

Whistle While You Work, Part 1

Next Post

DFIN Elevates Artificial Intelligence Platform with Acquisition of eBrevia

Robert Stines

Robert Stines

Robert A. Stines is a Partner in the Tampa, Florida office of Freeborn & Peters, LLP. A member of the firm’s Litigation Practice Group and Emerging Technologies Industry Team, he is a trial lawyer whose practice is focused on business commercial disputes, professional liability defense and cyber law. An IAPP U.S.-law certified privacy professional, he also advises businesses on cybersecurity and data privacy issues. He can be reached at rstines@freeborn.com. To read his blog, visit https://www.techlawx.com/blog.

Related Posts

gdpr

UK Resurrects Data Protection Reforms, EU Court Rules on GDPR in Civil Cases

by Jonathan Armstrong and André Bywater
March 15, 2023

Recent courtroom and legislative action in Europe will likely have ripple effects around the world for companies subject to regulations...

data breach

Sobering Reality: Drizly Order Indicates Officers May Face Personal Liability for Data Breaches

by Baker Donelson
February 1, 2023

The FTC says Drizly’s CEO James Cory Rellas was alerted to a potential security loophole two years before a data...

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

Next Post
woman's hand reaching out to touch robot hand

DFIN Elevates Artificial Intelligence Platform with Acquisition of eBrevia

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT