Data Security Costs

Data Security Costs to Businesses

A data security costs can drive a company to bankruptcyWhen analyzing data security costs, a data breach it is often discussed to averages about $7.2 million per incident. Frequently, I am asked how can that be. Answer, a breach has many direct and indirect costs that are often be overlooked. That is why I decided to identify some of them here.

 

Direct Data Security Costs from a Breach

  • FTC fines
  • Law suits
  • Biennial Audits
  • Credit reports
  • Notification letters
    • Letter goes to every customer, employee and vendor and will get picked up by the press
  • Attorney fees
  • State & Federal Privacy non-Compliance Fines
    • FACTA
      • Federal fines up to $2,500 per violation
      • State fines up to $1,000
    • Red Flags
      • Civil penalties of up to $3,500 per violation
    • HITECH
      • If entity did not know of violation, penalties of $100-$50,000 per violation
      • If violation is due to willful neglect and failure is corrected within 30 days, penalties of $10,000 – $50,000 per violation
      • If violation is due to willful neglect and failure is not corrected within 30 days, penalties of at least $50,000 per violation
    • HIPPA
      • Noncriminal violation (including disclosures made in error)
        • Fines of $100 – $50,000 per violation and up to $25,000 – $1.5 million per year, for similar violations
      • Potential criminal penalties:
        • Wrongful disclosure: $50,000 fine, 1 year in prison, or both
        • Offense under false pretenses: $100,000 fine, 5 years in prison, or both
        • Offense with intent to sell information: $250,000 fine, 10 years in prison, or both
    • GLBA
      • Financial institution subject to civil penalty of not more than $100,000 for each violation
      • Officers and directors subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation
      • Criminal penalties of up to 5 years in prison
    • SOX
      • Any individual who destructs, alters, or falsifies records with the intent to impede, obstruct, or influence an investigation will be fined, imprisoned not more than 20 years, or both
    • MA State Law
      • Civil penalties of $5,000 per violation plus reasonable costs of investigation and litigation
      • Fines of up to $50,000 for each instance of improper data disposal
    • CA State Law
      • Any injured customer may institute a civil action to recover damages
      • Civil penalties of $500 per violation or up to $3,000 per violation for willful, intentional or reckless violations

Indirect Data Security Costs from a Breach

  • Bad press
  • Stock price falls
  • Management refocus
  • Tarnished brand
  • Lost customers
    • 20-30% typically will leave
  • Lost new accounts
  • Layoffs

Statistics on the Data Security Costs from a Breach

  • 4 or of 10 doctors/hospitals have caught patients using someone else’s information to obtain Healthcare Services – PricewaterhouseCoopers
    •  Patients seeking medical services under someone else’s name was the second most common privacy or security issue reported by healthcare providers.
    • Medical identify theft is the fastest-growing form of identity theft, affecting 1.42 million Americans in 2010 and costing more than $28 billion.
    • The single most commonly reported breach was improper use of patient data by a person who works for a doctor’s office, hospital, insurance company, or life sciences organization.