Far too many companies pay little more than lip service to compliance regulations and privacy laws. In my experience, this happens because of either ignorance or “it costs too much.” They may not even have a written security policy, or largely ignore it in practice.
I can’t do much about ignorance. It’s the old horse and water problem.
The cost issue is real. It can be expensive to keep your software current and your systems updated with the latest malware protection and detection software. It can be time consuming to train your people on best practices, or sometimes just smart practices. But like the old FRAM filter commercial, you can pay me now or pay me later.
Numerous studies have pegged the real measureable cost of a data breach at about $200 per lost record. While your specific case will be unique, over the past several years and across a wide variety of companies and government organizations, this $200 per record has been relatively consistent. It really doesn’t matter whether the information you lost is financial, medical, or other personal information.
But often the real cost of a breach is lost trust. Sending out the “we are really sorry” letter is often required by law, and always the ethically right thing to do. If you don’t, someone will tell on you, and like with General Motors and the faulty ignition switch, the damage done by trying to hide the flaw is worse. While that problem was not the result of a cyber-criminal act, it may be a lesson in not hiding. GM’s profits plunged 86% in the first quarter of 2014, and GM faces more than 50 class action lawsuits in the US, and more in other countries.
Unfortunately, unless you are a government organization, up to 60% of your customers who do get that “we’re so sorry” letter will not do business with you for some period of time, if ever.
Take Target as an example. As a direct result of a successful cyber-criminal attack, Target profits fell 46% for fourth quarter year over year, and analysts expect it to be down further for first quarter this year. The direct fourth-quarter cost to Target of the credit card breach it disclosed in December: $61M. The amount does not include any allotments for claims by credit card companies. A Target spokesman said, “At this time we are not able to reasonably estimate a range of possible losses on the payment card networks’ potential claims in excess of the amount accrued.”
Target delayed taking any action after its security team in Bengaluru (formerly Bangalore), India, reported suspicious activity on November 30. Their security team in Target HQ in Minneapolis decided, “it did not warrant immediate follow up.” Oops.
As often happens, sales only fell 2.5%. Target did everything it could to keep customer traffic up by offering substantial discounts, which significantly impacted profit.
Target is now searching for a new CEO after replacing their CIO.
The same opportunities exist in the health care field. Advocate Health System is the largest fully integrated health care delivery system in metropolitan Chicago and the state of Illinois. They had a massive data breach last August. Four laptops were physically stolen from its facility in Park Ridge, IL. Those laptops contained HIPAA protected information plus social security numbers for about four million people, and that information was not encrypted. The theft occurred on July 15; Advocate sent the “We deeply regret” letter out on August 23. While Advocate promised a “thorough review of our policies and procedures,” they do not have a very good security record. In 2009, Advocate had a breach involving 812 patients. Seems an employee’s unencrypted laptop had been stolen.
In addition to potential direct costs in the hundreds of millions of dollars, Advocate now faces a class action lawsuit filed by affected patients. Are these people just looking for a way to take advantage of Advocate in our increasingly litigious society? Maybe not. Javelin Strategy and Research reported in its “2014 Identity Fraud Study” that one third of those who received a “We are so sorry” letter in 2013 became a victim of identity fraud. This is almost seven times the general population identity fraud rate of 4.9%
The last word:
Your company is being attacked. You will have a breach. When and how badly that impacts your business depends a lot on how well you, your employees and your partners pay attention to security best practices. Finding out quickly and taking action quickly will make a big difference to your bottom line, and your career.
Keep your sense of humor.