This is a legitimate question many business owners may keep asking themselves when they hear of another data breach occurring at a major retailer, healthcare provider or financial institution. The majority of businesses are far below the size category of the large and well-known victims of data breaches. These business owners may rationalize that they have a minimal cyber liability exposure. This may make them feel that they are less of a target and their data may not be of value to cyber criminals or fraudsters. Nothing could be further from the truth. In fact, they are actually a greater target to organized cyber rings and fraudsters because they know these small to medium-sized businesses have fewer resources to obtain the proper safeguards to fend off such an attack.
The bigger question business owners of any size should be asking is what will they do if their business has a breach? If this question has not been addressed prior to a breach than a business owner will have a slew of expenses and legal requirements to manage. Most likely, these businesses are not equipped to handle these expenses and legal requirements. One of the biggest issues affecting a business that suffers a breach is that running their business virtually stops the same day that the breach is discovered. Why is this? This happens because panic usually ensues after a breach is discovered. The focus to determine what data has been breached, how it occurred, who is responsible and what needs to be done takes everyone’s eye off the ball. They become so focused on the issues surrounding the breach that they forget they still have a business to run. The result can be a sudden and harmful decline in revenue, loss of customers and loss of market share. This financial Armageddon could not happen at a worse time. If a business has not taken the right preparatory steps prior to a breach, mitigating the financial and legal fallout may cause the business to fail. These costs will increase exponentially if the business has customers and/or employees in more than one state or other countries.
A business owner simply can’t lock the doors, turn off the lights and walk away. They are liable for the breach since they own the data, regardless of how the breach occurred or who caused the breach. These costs and expenses must be paid. Costs that include but are not limited to; notifying breached parties, forensic investigation costs, call centers, public relations firms, credit monitoring and privacy attorney costs. This all comes from the business’ bottom line. Fines and penalties that may be assessed by the FTC, HHS, HIPAA as well as state regulators must also be added to these expenses. Let’s also not forget about the costs associated with possible litigation resulting from the breach.
Transferring the ability to pay for these expenses beforehand is what cyber liability insurance is for. A properly structured policy can defray the vast majority (if not all) of these expenses as well as provide the expertise a business needs to manage the aftermath of the breach. It’s a clear and simple choice: pay pennies on the dollar to insure that these expenses are addressed beforehand or pay whole dollars directly from the bottom line after the breach has occurred and hope that you get it right.