Reports of corporate data breachcontinue to pass through news headlines with such frequency that they barely merit a time slot in the evening news. However in 2006, as many as 9,300,000 Americans were victims of identity theft. According to the Better BusinessBureau, each victim lost on average more than $6,300 and over 40 hours on thephone with creditors and credit bureaus working to clear their names.Businesses suffer greatly as well, losing a collective $50 million each year asa result of data breach.
A new study commissioned by Scott & Scott, LLP, a law and technologyservices firm focusing on data privacy and network security, confirms that theeffects of data breaches are far reaching and can be detrimental to a companyof any size.
The survey, entitled The Business Impact of Data Breach, and conductedby the research firm The Ponemon Institute, examined the responses of more than700 US-based C-level executives, managers, and IT security officers in mid-sizeto large businesses spanning all industries.
According to the study, an alarming 85% of respondent businesses admitted thatthey have experienced a data security breach. Despite the frequency of suchsecurity failures, 46% of businesses failed to implement encryption solutionseven after suffering a data breach, and 82% did not seek legal counsel prior toresponding to the incident despite having no prior response plan in place.
These results show that businesses are struggling to implement the properpolicies and controls required to prepare for and mitigate the legal,regulatory, and financial risks associated with a security failure – bothbefore and after a data breach occurs. In addition, many businesses may bediscounting the long-term threat to customer retention and corporatereputation.
To put it simply, breach notification is very costly to businesses. They facethe upfront costs of notifying data subjects and investigating and controllingthe breach, many face potential litigation and fines, and then there are theintangible costs associated with damage to the corporate brand, loss ofcustomers, decline in share value, and reputation management.
Key Findings Results from the survey include the following:
- More than 85% of respondent organizations reported that they have experienced a data breach event.
- Of those organizations, less than 43% had an incident response plan in place, and 82% failed to consult with legal counsel before responding to the incident.
- Following a breach, 46% of organizations still failed to implement encryption technology on portable devices.
- 95% of businesses suffering a data breach were required to notify data subjects whose information was lost or stolen.
- 97% were required to notify under state statutes.
- 58% were required to notify under federal privacy acts suchas HIPAA and GLBA.
- Organizations that suffered data breach actually employ substantially more IT and data security measures than organizations that did not experience a data breach.
- 37% of respondents say their organizations sent blanket notifications, rather than precise notifications.
- Organizations experiencing a data breach incurred costs across the board.
- 74% report loss of customers.
- 59% faced potential litigation.
- 33% faced potential fines.
- 32% experienced a decline in share value
- Almost half of the breach incidents were attributed to lost or stolen equipment such as laptops, PDAs, and memory sticks. The second largest threat came from negligent employees, temporary employees, and/or contractors.
- Despite the frequency of data breach events, 42% of respondents claim their organization’s IT security spending will remain the same in the coming year.
Lessons for Businesses
The evidence is clear that data breaches are a pervasive problem for mostorganizations in the United States today. Yet, despite negative repercussionsin terms of cost outlays and reputation diminishment, many companies do nottake appropriate steps to prevent data breach, or to prepare for and mitigatethe risks when the inevitable occurs.
Privacy Policies and Incident Response Planning:
Of the respondents, 57%did not have an incident response plan in place at the time of the data breach.By taking proactive steps to review and revise privacy policies, implementstringent security policies, and develop and follow a formal notification andcrisis management plan for any breach, businesses can significantly reduce thelegal, financial, and regulatory risks associated with data breach.
Perhaps the most significant finding in the survey is thatdespite having experienced a data breach, 46% of respondents failed toimplement encryption technology on electronic devices. Encryption is the singlemost effective way to avoid the negative business impact of data breaches.Under most privacy statutes, if data is protected with encryption the businessisfree from notification requirements. Encryption technology can cost aslittle as $100 per device and typically takes less than one-half hour of ITservices time to install.
The legal landscape governing data privacy is complexwith thirty-five separate state regulations and numerous federal andinternational regulations that may be applicable to a particular incident, yet 82% of businesses responded to a data breach without first consulting legal counsel. In such cases, companies tend to over-report. In fact, 37% ofrespondents said their organizations sent blanket notifications, rather thanprecise notifications. This is where legal counsel can be invaluable in helpingdetermine what regulations may be applicable to a particular incident.
Corporate Identity Theft Insurance:
With 74% of respondents reportingloss of customers, 59% facing potential litigation, and 33% facing potentialfines, any company utilizing electronic data should investigate data securityand privacy insurance, which can substantially mitigate the financial risks ofa data breach. Forward-looking insurance providers such as AIG and CNA haverecognized the need for this type of coverage and are offering a variety oftypes, including inside job coverage, service provider coverage, employeeclaimant coverage, regulatory coverage and third-party handling coverage.Because nothing is failsafe,even businesses that have implemented the mostaggressive security technologies are well advised to consider purchasing corporate identity theft insurance.