Data breaches hurt. Just ask Equifax, the latest poster child in the ongoing litany of companies where breaches may have exposed customer data. It joins the ranks of Target and Home Depot in offering real-life examples of expensive and painful business-recovery plans.
A recent Forrester Research report, “Calculate The Business Impact And Cost Of A Breach,” outlines possible impacts from a data breach and cost considerations for companies developing security and data safety protocols.
The business impact and cost of data breaches is hard to quantify, but costs can be significant and ongoing. And a breach can be the gift that keeps on giving—costs can occur years afterward. With that in mind, it is important to develop a business case for investing in security technologies and designing processes that speed mitigation.
Doing a breach cost estimate is an eye-opening experience for company executives, notes Forrester senior analyst Heidi Shey. A breach can affect everything from staff retention to regulatory fines, create additional security and audit requirements and result in loss of customers and brand reputation.
Understanding potential costs if a company experiences a data breach lets security and risk management staff develop appropriate responses and estimate what it might cost to cover repairs and facilitate damage control.
It’s difficult to estimate how at-risk a company is for a data breach, which makes it equally hard to quantify how much to spend on security technology and operations. However, reviewing potential technical costs—such as paying for incident response services, forensics and lost productivity and noting operational costs incurred for fines and notifying individuals affected as well as different regulatory bodies—gets a conversation started.
Breach costs include possible staff departures and retraining, along with employee downtime if systems have to go offline, as well as payments for settlements, lawsuit awards and any charges levied by financial institutions to cover their card-replacement costs. Fines, the cost of providing documentation to regulators and the cost of fixing systems to withstand new threats, as well as fixing the areas where the breach occurred, can also add significant costs. Settlements for HIPAA fines have reached as high as $5.5 million in 2017, the report notes. Then there are the costs associated with rebuilding brand confidence and remaining competitive.
Preventive measures ultimately can help reduce the cost of mitigation and damage control, the report notes. And, having a plan in place means a fast, effective breach response helps when a situation is in the public eye. “Breaches are no longer a matter of ‘if’ but ‘when,’ so you must take steps to both mitigate your risk and plan for failure,” Shey notes.
Pre-breach planning shows the range of actions needed in a recovery, from putting a company on a retainer to handle incident response and investigation, public relations crisis management and response, to making new hires. The cost of expert legal fees and legal settlements makes discussing cyberinsurance worthwhile.
Identify the most likely ways your company would be affected by data loss—retailers would face attackers seeking customer data through point of sale terminals, for instance, while a law firm might face employees accidentally exposing sensitive client data. Then, use those examples to plan the company’s response and have S&R staff present scenarios that show levels of impact and damage, outline where costs may vary, and how the company’s level of preparedness can affect the bottom line.
With costs ranging from $20,000 to $10 million or more for incident response and investigation, and legal settlements going as high as Anthem Inc.’s $115 million settlement of a class-action lawsuit for a 2015 attack that exposed the personal information for close to 79 million people, Forrester notes the planning exercises can justify data security investments.