Calculating The Colossal Cost of A Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://ww2.cfo.com/data-security/2015/03/calculating-colossal-cost-data-breach/

In the past two years, there have been dozens of highly publicized data
breaches, including recent ones at Community Health Systems, Anthem, and
now Premera Blue Cross. Just from those three, hackers stole medical
information and other data of 136 million Americans, some records dating
back a decade.

And that’s just in health care. Add Target, Sony, and Home Depot to the
list and we’re talking tens of millions more Americans affected.

When breaches of this size become almost commonplace in the retail, health
care, and movie industries, many CFOs wonder: How vulnerable is my company?
The simple answer is that if you don’t know your risks, you’re
extraordinarily vulnerable — and the financial costs of a data breach can
be staggering.

CFOs are realizing that information risk management needs to be approached
from a strategic, proactive perspective — not in an ad hoc, reactive way.

If Anthem had done that two years ago, they might have avoided the recent
mega-breach. The company had a wake-up call in 2013 when it was cited by
Health and Human Services’ (HHS) regulators for not having completed a risk
analysis after implementing a new consumer portal. It settled the case for
$1.7 million. That’s a drop in the bucket compared with the costs of their
2015 breach involving 80 million people.

According to many media reports, Anthem will soon deplete its $100 million
cyber-insurance coverage just to notify the victims and provide free
identity-theft and credit monitoring.

Ponemon Research conducts annual studies on the cost of a data breach,
which consistently hovers around $200 per record. But that number doesn’t
include the hard-to-calculate costs like reputational repercussions,
business distraction, class-action lawsuits, and regulatory fines.

Here’s a more complete breakdown of the kinds of costs associated with a
data breach:

Investigation. A forensics team needs to determine how the system was
compromised and what data was affected — and whether anything was deleted
or deliberately altered. Then that team has to ensure that malware, if the
culprit, isn’t still lurking somewhere in the system.

Remediation. This is the cost of putting in the controls or safeguards that
should have already been put in place to avoid the breach.

Notification. The cost of this alone is daunting. In the health-care field,
any breach involving more than 500 patient records requires immediate
notification to the affected individuals, federal regulators, and the media.

Notification to individuals must be by first class mail unless the
individual has agreed to electronic notice.  At 49 cents per stamp, that’s
a $40 million price tag for Anthem and that may not be all, since more than
one mailing may be required as more information becomes available.

Identity-theft repair and credit monitoring. These costs can run anywhere
between $8 and$12 per month per victim, and the term length can be either
one or two years. While this attempt to reduce the probability of further
unauthorized disclosure may provide some solace to the victims, it’s
unlikely to prevent lawsuits.

Regulatory fines. Depending on the industry, fines and penalties can be
quite steep. In the health-care field, for example, the minimum fine for a
Health Insurance Portability and Accountability Act  violation involving
willful neglect is $1.5 million — and most data breaches involve multiple
HIPAA violations. Even if the civil monetary penalty system isn’t invoked,
HHS has secured settlements as high as $4.8 million.

Disruptions in normal business operations. Because many resources are
diverted to clean up after a data breach, a company’s operational health
can be adversely affected.  Most organizations set up a call center to
reduce the business distraction, and some will set up a website to keep
victims informed, but the messaging needs to be developed, edited, and
approved. And then there’s the communications and FAQs for employees,
customers, the media, and stakeholders.

Lost business. Data breaches often cause customers to flee to a competitor
and it’s difficult to calculate those costs. But here are some examples:

A Ponemon study determined that the industries with the highest churn rate
were pharmaceuticals, communications, and health care (all at 6%), followed
by financial services (5%).
A Symantec study documented industry “abnormal churn” rates following a
breach, with the financial, communications, and health-care fields leading
the pack with loss rates of 5.6%, 5.2%, and 4.2%, respectively.

The Sony brand didn’t lose its luster after this year’s highly publicized
hack related to its film The Interview, but it completely lost the box
office revenue from that movie, which could have totaled tens of millions.

Class-action lawsuits. What’s the probability of one? Three lawsuits were
filed against Anthem less than 24 hours after the breach announcement.
Target recently announced a $10 million proposal to settle a class-action
lawsuit, offering up to $10,000 for any of the 110 million victims able to
prove they were harmed by its breach.

The asking price in health-care data breach lawsuits has typically been in
the $1,000 per victim range, but few have come to fruition due to the
courts’ reluctance to confer standing on the potential of future harm —
until now. In the Adobe Systems breach case, the U.S. District Court
recently found that such potential future harm is sufficient to allow a
putative class of plaintiffs to proceed in federal court. Stay tuned.

Here’s another thing that could cause CFOs to lose sleep: hackers only
account for about six percent of health-care data breaches. The other 94%
are caused by employee errors and transgressions: losing laptops containing
unencrypted data, snooping into celebrity files, improperly disposing paper
records, and so on. Those breaches don’t always have the magnitude of the
Anthem hack, but they can still carry six-figure price tags.

The main takeaway here is that information risk management is much more
than a technical or compliance issue. There needs to be a company-wide
culture of information security and a formal program to assess and manage
risks.

That’s why it’s important to conduct annual information risk analyses and
use “maturity models” to see how your organization stacks up against
industry benchmarks and best practices. Just by doing so, you can reduce
the chances of a breach, save your company millions of dollars, and stay
out of the headlines.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!