The Business Impact of Data Breach

By Robert J. Scott
Reports of corporate data breach continue to pass through news headlines with such frequency that they barely merit a time slot in the evening news. However in 2006, as many as 9,300,000 Americans were victims of identity theft. According to the Better Business Bureau, each victim lost on average more than $6,300 and over 40 hours on the phone with creditors and credit bureaus working to clear their names. Businesses suffer greatly as well, losing a collective $50 million each year as a result of data breach.

A new study commissioned by Scott & Scott, LLP, a law and technology services firm focusing on data privacy and network security, confirms that the effects of data breaches are far reaching and can be detrimental to a company of any size.

The survey, entitled The Business Impact of Data Breach, and conducted by the research firm The Ponemon Institute, examined the responses of more than 700 US-based C-level executives, managers, and IT security officers in mid-size to large businesses spanning all industries.

According to the study, an alarming 85% of respondent businesses admitted that they have experienced a data security breach. Despite the frequency of such security failures, 46% of businesses failed to implement encryption solutions even after suffering a data breach, and 82% did not seek legal counsel prior to responding to the incident despite having no prior response plan in place.

These results show that businesses are struggling to implement the proper policies and controls required to prepare for and mitigate the legal, regulatory, and financial risks associated with a security failure – both before and after a data breach occurs. In addition, many businesses may be discounting the long-term threat to customer retention and corporate reputation.

To put it simply, breach notification is very costly to businesses. They face the upfront costs of notifying data subjects and investigating and controlling the breach, many face potential litigation and fines, and then there are the intangible costs associated with damage to the corporate brand, loss of customers, decline in share value, and reputation management.

Key Findings Results from the survey include the following:
  • More than 85% of respondent organizations reported that they have experienced a data breach event.
  • Of those organizations, less than 43% had an incident response plan in place, and 82% failed to consult with legal counsel before responding to the incident.
  • Following a breach, 46% of organizations still failed to implement encryption technology on portable devices.
  • 95% of businesses suffering a data breach were required to notify data subjects whose information was lost or stolen.
  • 97% were required to notify under state statutes.
  • 58% were required to notify under federal privacy acts such as HIPAA and GLBA.
  • Organizations that suffered data breach actually employ substantially more IT and data security measures than organizations that did not experience a data breach.
  • 37% of respondents say their organizations sent blanket notifications, rather than precise notifications.
  • Organizations experiencing a data breach incurred costs across the board.
  • 74% report loss of customers.
  • 59% faced potential litigation.
  
  • 33% faced potential fines.
  • 32% experienced a decline in share value
  • Almost half of the breach incidents were attributed to lost or stolen equipment such as laptops, PDAs, and memory sticks. The second largest threat came from negligent employees, temporary employees, and/or contractors.
  • Despite the frequency of data breach events, 42% of respondents claim their organization’s IT security spending will remain the same in the coming year.


Lessons for Businesses

The evidence is clear that data breaches are a pervasive problem for most organizations in the United States today. Yet, despite negative repercussions in terms of cost outlays and reputation diminishment, many companies do not take appropriate steps to prevent data breach, or to prepare for and mitigate the risks when the inevitable occurs.

Privacy Policies and Incident Response Planning: Of the respondents, 57% did not have an incident response plan in place at the time of the data breach. By taking proactive steps to review and revise privacy policies, implement stringent security policies, and develop and follow a formal notification and crisis management plan for any breach, businesses can significantly reduce the legal, financial, and regulatory risks associated with data breach.

Encryption Perhaps the most significant finding in the survey is that despite having experienced a data breach, 46% of respondents failed to implement encryption technology on electronic devices. Encryption is the single most effective way to avoid the negative business impact of data breaches. Under most privacy statutes, if data is protected with encryption the business is free from notification requirements. Encryption technology can cost as little as $100 per device and typically takes less than one-half hour of IT services time to install.

Legal Counsel: The legal landscape governing data privacy is complex with thirty-five separate state regulations and numerous federal and international regulations that may be applicable to a particular incident, yet 82% of businesses responded to a data breach without first consulting legal counsel. In such cases, companies tend to over-report. In fact, 37% of respondents said their organizations sent blanket notifications, rather than precise notifications. This is where legal counsel can be invaluable in helping determine what regulations may be applicable to a particular incident.

Corporate Identity Theft Insurance: With 74% of respondents reporting loss of customers, 59% facing potential litigation, and 33% facing potential fines, any company utilizing electronic data should investigate data security and privacy insurance, which can substantially mitigate the financial risks of a data breach. Forward-looking insurance providers such as AIG and CNA have recognized the need for this type of coverage and are offering a variety of types, including inside job coverage, service provider coverage, employee claimant coverage, regulatory coverage and third-party handling coverage. Because nothing is failsafe, even businesses that have implemented the most aggressive security technologies are well advised to consider purchasing corporate identity theft insurance.