The Real Costs to Companies
People get emotional over cyber data breaches, and the media loves to report on the latest hack attack that exposed millions of users’ information. Other than reputational damage (which is quickly forgotten, given the 24/7 news cycle), why should risk managers, executives and business owners care? Because it’s expensive. So expensive that it could hurt profits for years.
Compliance departments, risk managers and executives may not appreciate the financial damage that a data breach will cause. Ask any company executive or risk manager who has experienced a data breach and you will hear stories of disorder, the blame game, unanswered questions and the expense. The disorder and expense increase if the company did not have a data breach and incident response plan in place before the cyber incident was discovered. Why? Because it is more expensive to hire professionals and forensic experts in the midst of the data breach than negotiating reasonable rates before the event.
Even after the breach is contained, the breached company may become the target of investigations, regulatory fines, litigation costs, reputational harm and lost profits that can affect the company’s bottom line for years.
If you are wondering why a data breach is so expensive and where these expenses come from, keep reading.
When a breach is suspected or confirmed, the company has to determine what caused the breach, what and how much information was disclosed and if the company’s IT system is still compromised.
Most important, to comply with state notification laws, the company has to determine if there has been unauthorized access to personally identifiable information. In-house IT specialists are probably not equipped to handle this type of investigation.
Best practice is to retain a forensic specialist before the breach and agree to acceptable rates. It is significantly more expensive to retain a forensic specialist while in the midst of data breach.
After the company determines the “who, what and when,” the question becomes can the company salvage its IT network and system. In some situations, the IT specialist will simply need to shut down the system, purge all of the compromised files, reload any necessary operating systems and confirm (if they can) that the hacker’s access to the system is blocked.
Unfortunately, this “purge” may result in the loss of valuable proprietary information. Sometimes, the system and computers are rendered inoperable and require new hardware and software. In other situations, the forensic and IT team cannot guarantee that the malware has been totally purged. Depending on the size of the company, the remediation process could be financially crippling.
Every state now has laws that require notification in the event of a data breach. After a confirmed data breach, the company should retain a professional (probably an attorney) to assist with handling the breach and navigating the breach notification laws. Depending on the industry (e.g., health care, financial, etc.) a company may need to comply with federal statutes and regulations.
Complying with the notification requirements can be costly. On the other hand, failing to comply with the notification laws may subject the company to statutory fines that accrue on a daily basis.
Companies that operate in Europe also need to comply with the General Data Protection Regulation (GDPR), which is the EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. Businesses must report any data breaches within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4 percent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
Depending on the sector and applicable regulations, a breached company may need to provide credit monitoring for all the individuals whose information was disclosed in the breach.
Even without a law mandating credit monitoring, it is probably smart to offer such a service to build some goodwill with customers and mitigate the reputational harm.
This should not be surprising. It is unfortunate that the breached company is really the victim of a cyber incident resulting in a data breach. Despite being the victim, the breached company will incur additional expenses due to litigation costs, attorneys’ fees and the possible payout of millions of dollars to clients, customers, shareholders and government agencies.
There are several class actions against companies that suffered data breaches (Yahoo, Anthem, Equifax, Sony). The people whose information was disclosed in the data breach will probably become members of the class suing the company.
If the company’s stock value decreased because of the breach, shareholders may file a class action or a derivative lawsuit against the company and its directors and officers. The securities class action against Yahoo is a good example. Eventually, the Yahoo class settled for $80 million.
There are many examples of insurance-related litigation that stemmed from a data breach. Many companies have, or thought they had, cyber insurance to provide indemnification in the event of a data breach. Because cyber insurance is still in its infancy, many carriers find it difficult to underwrite cyber risks. Carriers do not anticipate the types of losses that result from a cyber incident and may challenge whether a data breach is a covered loss. When the insurance carrier denies coverage, there is typically a declaratory judgment action that seeks a declaration from the court as to whether the carrier is obligated to indemnify the company under the circumstances.
Penalties and Fines
In addition to individuals bringing lawsuits, the breached company may face fines and penalties from state and federal agencies.
Companies in the United States could potentially face fines from one or more regulatory agencies, including the Department of Health and Human Services (which regulates breaches of medical data), the Federal Trade Commission and the Federal Communications Commission.
State attorneys general may also seek to penalize the company for engaging in unfair and deceptive trade practices.
States may also impose fines for failing to comply with breach notification laws. In Florida, for example, a violation of the breach notification law may result in a civil penalty not to exceed $500,000.
If the company collects, processes or transmits credit card data, then it is governed by the PCI Data Security Standards, which is a set of rules designed by the credit card brands to enforce card data security. In the event of a data breach resulting in the disclosure of credit card information, the company may have to pay PCI compliance fines ranging from $5,000 to $100,000 a month.
If a company cannot access its computers and network because of a data breach, the company cannot operate. If the company’s IT specialist and forensic expert determine that the network is compromised, access to the network will be limited.
Depending on how long it takes to determine the type of breach and how to remedy the situation, it could be days or weeks before operations are back to 100 percent. This all leads to business interruptions that result in lost income and lost profits.
Some companies cannot survive a couple days of business interruption.
Some insurance policies cover losses due to business interruption, but typically the insurance is for interruption due to property damage, such as a hurricane or fire. Business interruption due to a data breach is a fairly new concept, and it is important that risk managers understand whether or not the company is covered for this type of loss.
What to Do
Every company that relies on the internet and computers to conduct business is subject to a data breach or hack — whether it be through ransomware, distributed denial of service attacks, a phishing scheme that results in wiring funds to a fraudster or the unauthorized disclosure of personally identifiable information.
From a purely financial perspective, it is good business to take reasonable precautions to prevent a data breach and, in the event of a data breach, have a response team ready. When regulators, shareholders and customers start asking questions, the company can honestly say, “We took precautions and had a plan.” It might not save the day, but it will mitigate the situation and lower the expense.