Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Is Your Business a Data Breach Away from Disaster?

Written by: Cameron G. Shilling

Published in Business NH Magazine

According to the 2013 Data Breach Investigations Report conducted by the Verizon RISK Team (Report), businesses participating in that study reported more than 47,000 data security incidents in 2012 alone, and that is just a fraction of the total that actually occur in the entire marketplace annually.

The vast majority of breaches occur at small or medium-sized businesses, and involve only a few hundred or thousand records. According to the New Hampshire Department of Justice’s website, businesses have reported 900 data security breaches affecting New Hampshire residents since 2007, with 185 of those breaches reported just last year. Nearly every state’s laws (including New Hampshire) and several federal laws require businesses to notify government authorities and the individuals affected whenever a breach occurs.

Data security breaches are not just perpetrated by Internet hackers looking for credit card numbers. For example, health care providers are targeted for medical and insurance information, and educational institutions are targeted for financial aid and personal information about students, parents and alumni. According to the Report, the newest savory targets are professional services businesses (like accountants, financial advisors, and attorneys), which comprised about 20 percent of breaches in 2012, due to their generally low level of security and high value of client financial and personal information.

Small and medium-sized businesses make easy targets because they routinely store valuable information on notoriously insecure mobile devices (e.g., tablets and smartphones) and laptops with inadequate security (e.g., lacking password protection or encryption), and they routinely transmit information by unencrypted email and engage in social media. According to the Report, in 2012, about 30 percent of breaches resulted from theft or tampering with mobile devices and laptops, and about 20 percent occurred as a result of email phishing or social media hacking.

The Cost of Breaches
The cost of a data security breach can be surprisingly high. According to the 2013 Cost of Data Breach Study: Global Analysis conducted by Ponemon Institute, LLC (Analysis), the total average cost of a breach in 2013 to a United States business was more than $5.4 million per breach.

While that statistics includes the gigantic breaches at large companies, the study also reports that the cost of a domestic breach last year averaged about $190 per record. As such, a common breach at a small or medium-sized business of only 500 to 1,000 records will typically cost the business $100,000 to $200,000, or more.

The costs inherent in a data security breach are often unforeseen by most businesses. These costs include direct expenses to investigate, provide notifications, and remediate the breach, such as for legal counsel, computer forensic consultants, public relations specialists, credit monitoring services, and price concessions. But direct expenses typically account for less than 40 percent of the total costs of a breach. The greater losses, which are often hidden to most businesses, arise from indirect costs, like diminished revenue and profits from lost customer business, and diminished employee productivity from time spent addressing the breach and its aftermath.

Reducing Risk
While no business can completely insulate itself from the risk of a data security breach, every business can and should take steps to reduce the likelihood of a breach. In fact, two states (Massachusetts and California) require businesses in those states – as well as businesses that have personal information about residents of those states – to become data security compliant by proactively implementing measures designed to avoid breaches. Likewise, several federal laws and regulations (such as HIPAA, the SEC rules, and the Gramm Leech Bliley Act) require businesses in certain regulated industries to be data security compliant.

Becoming data security compliant, in general, involves:
•Conducting an audit to assess existing security measures and vulnerabilities;
•Designing and executing a plan and timeline to mitigate vulnerabilities;
•Preparing and implementing written data security policies and procedures;
•Appointing and training an employee or employees responsible for data security matters;
•Training all employees concerning security risks, policies and procedures;
•Periodically reassessing existing security measures and vulnerabilities.

Reducing Costs
Engaging in a data security compliance process will not only mitigate the risks of a breach, it can also reduce the costs if a breach occurs.

According the Analysis, the factors that most effectively reduced the costs of a breach are having in place a security structure to detect when a breach occurs, a written policy to respond to the breach, and an employee trained and responsible for addressing a breach, and appropriate and timely notification to state or federal authorities and individuals affected by the breach.

This cost savings alone if a breach occurs, not to mention the larger costs saved if a breach is avoided, more than offsets the typical costs of becoming data security compliant.

No business ever expects to be the next media headline, and no businessperson thinks that this will happen to them, until it does. Take steps now to avoid a data security disaster.

Cameron Shilling is a shareholder and director at McLane, Graf, Raulerson & Middleton, and chair of the firm's Privacy and Data Security practice group. He can be reached at 603-628-1351 or [email protected].

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.