Is Your Business a Data Breach Away from Disaster?

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: Business NH Magazine
March 7, 2014

According to the 2013 Data Breach Investigations Report conducted by the Verizon RISK Team (Report), businesses participating in that study reported more than 47,000 data security incidents in 2012 alone, and that is just a fraction of the total that actually occur in the entire marketplace annually.

The vast majority of breaches occur at small or medium-sized businesses, and involve only a few hundred or thousand records. According to the New Hampshire Department of Justice’s website, businesses have reported 900 data security breaches affecting New Hampshire residents since 2007, with 185 of those breaches reported just last year. Nearly every state’s laws (including New Hampshire) and several federal laws require businesses to notify government authorities and the individuals affected whenever a breach occurs.

Data security breaches are not just perpetrated by Internet hackers looking for credit card numbers. For example, health care providers are targeted for medical and insurance information, and educational institutions are targeted for financial aid and personal information about students, parents and alumni. According to the Report, the newest savory targets are professional services businesses (like accountants, financial advisors, and attorneys), which comprised about 20 percent of breaches in 2012, due to their generally low level of security and high value of client financial and personal information.

Small and medium-sized businesses make easy targets because they routinely store valuable information on notoriously insecure mobile devices (e.g., tablets and smartphones) and laptops with inadequate security (e.g., lacking password protection or encryption), and they routinely transmit information by unencrypted email and engage in social media. According to the Report, in 2012, about 30 percent of breaches resulted from theft or tampering with mobile devices and laptops, and about 20 percent occurred as a result of email phishing or social media hacking.

The Cost of Breaches

The cost of a data security breach can be surprisingly high. According to the 2013 Cost of Data Breach Study: Global Analysis conducted by Ponemon Institute, LLC (Analysis), the total average cost of a breach in 2013 to a United States business was more than $5.4 million per breach.

While that statistics includes the gigantic breaches at large companies, the study also reports that the cost of a domestic breach last year averaged about $190 per record. As such, a common breach at a small or medium-sized business of only 500 to 1,000 records will typically cost the business $100,000 to $200,000, or more.

The costs inherent in a data security breach are often unforeseen by most businesses. These costs include direct expenses to investigate, provide notifications, and remediate the breach, such as for legal counsel, computer forensic consultants, public relations specialists, credit monitoring services, and price concessions. But direct expenses typically account for less than 40 percent of the total costs of a breach. The greater losses, which are often hidden to most businesses, arise from indirect costs, like diminished revenue and profits from lost customer business, and diminished employee productivity from time spent addressing the breach and its aftermath.

Reducing Risk

While no business can completely insulate itself from the risk of a data security breach, every business can and should take steps to reduce the likelihood of a breach. In fact, two states (Massachusetts and California) require businesses in those states – as well as businesses that have personal information about residents of those states – to become data security compliant by proactively implementing measures designed to avoid breaches. Likewise, several federal laws and regulations (such as HIPAA, the SEC rules, and the Gramm Leech Bliley Act) require businesses in certain regulated industries to be data security compliant.

Becoming data security compliant, in general, involves:

•Conducting an audit to assess existing security measures and vulnerabilities;
•Designing and executing a plan and timeline to mitigate vulnerabilities;
•Preparing and implementing written data security policies and procedures;
•Appointing and training an employee or employees responsible for data security matters;
•Training all employees concerning security risks, policies and procedures;
•Periodically reassessing existing security measures and vulnerabilities.

Reducing Costs

Engaging in a data security compliance process will not only mitigate the risks of a breach, it can also reduce the costs if a breach occurs.

According the Analysis, the factors that most effectively reduced the costs of a breach are having in place a security structure to detect when a breach occurs, a written policy to respond to the breach, and an employee trained and responsible for addressing a breach, and appropriate and timely notification to state or federal authorities and individuals affected by the breach.

This cost savings alone if a breach occurs, not to mention the larger costs saved if a breach is avoided, more than offsets the typical costs of becoming data security compliant.

No business ever expects to be the next media headline, and no businessperson thinks that this will happen to them, until it does. Take steps now to avoid a data security disaster.