Written by Ed McGuire, Director of Specialty Insurance, FBinsure
You’ve spent time and money to implement the latest safeguards to protect your customer and employee data. You’ve securely configured your firewalls. You test and install security patches and upgrades within 48 hours of notification. You back-up network data and configuration files daily. You employ anti-virus software and update this software daily. Also you employ intrusion protection and detection systems and update/test them regularly.
These and many other procedures you may have implemented to protect your customer and employee data are all pro-active steps. However, the harsh reality is no matter how much you spend and how many safeguards you employ if a hacker or rogue employee wants your data THEY WILL GET IT! Regardless of the size or type of business you have you are still a target. The fact is hackers do not discriminate. Hackers are usually on step 10 and businesses are usually on steps 3 or 4. You cannot totally prevent hackers from accessing your data. The best possible outcome you can hope to achieve is to mitigate the damage once you discover your customer or employee data as been compromised.
The initial out-of-pocket costs to a business in the first 30-90 days subsequent to discovering a breach can be staggering when you consider the physical notification of breached parties, credit monitoring, privacy attorneys, call centers, forensics, public relations firms not to mention any regulatory fines and penalties you may incur because of the breach. Actually the average cost as a result of a breach is $201 per record as per the Ponemon Institute, LLC- “2014 Annual Study: Cost of a Data Breach”. If you do business in multiple states, Canada or the European Union your out-of-pocket post breach expenses can sky-rocket. Also if you use third party or out-sourced vendors to store or service your customer or employee data or store that data in The Cloud you have increased your exposure to a breach exponentially. The key fact to remember is it’s not who had the breach; it’s who owns the data that was breached. If you entrust your customer or employee data to a third party or out-sourced vendor to store or service on your behalf or it is in The Cloud and it is breached you are the owner of the data and you are responsible for the notification of the breached parties and the costs mentioned above.
Currently 47 states have breach notification laws in effect as well as DC, Puerto Rico and the Virgin Islands. Virtually all state privacy laws are based upon who owns the data that was breached and not who caused the breach as being the required party to notify the breached individuals. Canada and the European Union have their own specific notification laws and requirements. If you are not prepared for the possible business altering expenses you will incur if you have a data breach it could have a material impact upon the survivability of your business as these costs will come directly off your bottom line. Also you could be enjoined in protracted and expensive litigation filed against you by customers or employees whose data has been breached. These costs are in addition to the post breach out-of-pocket expenses your business will incur to deal with the breach.
The questions you need to ask yourself are….How will your business pay for these post breach expenses? How will your business pay the defense costs incurred in a law suit and the damages that may be awarded to the breached individuals? How do you transfer this risk and these expenses to another source?