The hidden cost of data breaches that you should know about, but probably don’t
It’s no secret that data breaches are costly, both in monetary and reputational terms, but there’s often a lot more to a data breach than initially meets the eye. More often than not, the effects of a data breach are long-lasting and multifaceted.
Research conducted by the National Cyber Security Alliance suggests that around 60% of small and medium-sized businesses that have experienced a cyber-attack go out of business within six months as a result. There are several possible reasons for this, however underestimating the hidden costs associated with data breaches can be a grave mistake for organizations.
Consider that the average cost of a data breach in the U.S., according to a 2018 study by the Ponemon Institute, was $233 per record breached, and in some industries the cost was several times higher. Now, a couple hundred dollars plus change may not sound like a lot, until you consider that the average number of records breached was 31, 465, in which case the average data breach cost more than $7 million!
Reputational damage & loss of trust
A publicized data breach has the potential to significantly devalue an organization’s brand and reputation. While any damage incurred can be mitigated to an extent with an effective public relations strategy, this in itself can carry additional expenses, particularly if it’s outsourced. Even with an operational crisis management plan, it can often be a case of too little, too late.
In a recent survey by independent technology market research specialist, Vanson Bourne, over three-quarters of respondents stated that they would move away from companies with a high record of data breaches. As a result, an organization may need to considerably increase their sales and marketing budget in order to recuperate the customer base lost as a result of the breach, a process made all the more difficult – and expensive – by a tarnished reputation.
Despite the threat of lost business due to customer churn, businesses need to be aware of and comply with regulatory requirements for the written notification of customers who may have been affected by the breach. Many of you no doubt have received at least one or more letters from various retailers, hotel chains or other corporations notifying you that a data breach had occurred at some point in the past, and explaining what information may have been compromised. These letters may also include an offer of free credit reporting for a year, but don’t be impressed by this act of seeming corporate responsibility – it’s required by law to offer the credit reporting service to all affected customers!
In addition, some regulations require notification of authorities or regulatory agencies within a specified period of time following discovery that a breach has occurred. For example, entities covered by HIPAA have until March 1, or 60 days following the calendar year in which the breach occurred, to report small data breaches that affected fewer than 500 individuals. Larger data breaches are required to be reported “without unreasonable delay” and no later than 60 days following discovery of the breach. Failure to comply with notification requirements in a timely manner can result in added fines and penalties.
In the wake of a data breach, while investigations are taking place and the extent of the damage is being examined, day-to-day activity is often suspended as all affected networks must be taken offline. During this time, companies still have to cover running costs such as wages, rent and utilities as well as the potential loss of revenue incurred because of reduced interoperability.
Such disruption can have a detrimental effect on staff productivity too; projects can lose momentum and staff morale can really suffer in an unstable working environment.
Whether it is the result of inadequate cyber defense systems, human error, or a combination of both, a data breach highlights weaknesses within an organization’s security framework that need to be addressed at board level. Such meetings can take several high-salaried partners and employees out of the business for days, even weeks at a time, at a considerable impact to the business.
On top of all this are the security specialists and legal consultants that may need to be drafted in to help clean up the mess. These consultants should, at a minimum, conduct a thorough security audit and network scan, prepare a risk analysis and risk management report detailing the steps needed to prevent future data breaches, and formulate an implementation plan and timeline to put those steps into practice. These outside consulting services do not come cheap.
If the breach occurred as the result of employee negligence (about a quarter of all breaches are attributed to human error), additional cyber-awareness training courses will need to be arranged so that staff members are better equipped to recognize threats in the future. This not only presents an additional cost in itself but will also require staff to take paid time out of their daily responsibilities to undergo training. Remember, employee training is never one-and-done, but should be conducted on a regular recurring basis, at least once or twice a year.
Increasing insurance premiums
Some businesses are less concerned then they should be about an external data breach because “we have cyber-insurance.” However, it is likely that an organization will suffer a hike in premiums following a data breach incident, the total costs of which could exceed the coverage, drastically affecting business overhead and, in some cases, even causing a business to fall out of profit. It may also have a negative impact on a business’ credit score which in turn could present additional financial obstacles further down the line.
Even worse, some insurance companies are now attempting to ‘claw-back’ payouts following subsequent determinations that the insured’s negligence was the primary cause of a data breach. A landmark case in this regard is Columbia Insurance vs. Cottage Health, in which the insurer sued to recover a $4+ million settlement of class action claims it had paid after the healthcare provider and its IT service vendor were found to be negligent by allowing a server containing thousands of confidential customer records to be accessible to anyone on the public Internet.
The truth is, there will always be a price to pay when a data breach strikes. However, knowing where the costs lie and being prepared can help companies invest their resources more strategically and keep financial losses to a minimum.
When it comes to cybersecurity and data breach protection, prevention is always better than cure. Therefore IT organizations must equip staff with the tools they need to carry out their jobs efficiently and securely. Sfax’s advanced cloud service empowers businesses in virtually every industry to improve the security of their document workflow processes with its digital online fax service, allowing users to fax securely from anywhere via any Internet-connected device.