Target, Niemen Marcus and Michael’s Crafts have all recently found themselves in the media spotlight after data security breaches put the personal information of millions of their customers in jeopardy. But not only big retailers are at risk. Breaches are on the rise for all businesses, including small and medium-sized businesses. In light of the significant costs and other ramifications of a data security breach, your business could be a breach away from disaster.
According to the 2013 Data Breach Investigations Report conducted by the Verizon RISK Team, businesses participating in that study reported more than 47,000 data security incidents in 2012 alone, and that is just a fraction of the total that actually occur in the entire marketplace annually.
The vast majority of breaches occur at small or medium-sized businesses and involve only a few hundred or thousand records. Businesses have reported 900 data security breaches affecting NH residents since 2007, with 185 of those breaches reported just last year, according to the NH Department of Justice. Nearly every state’s laws (including NH) and several federal laws require businesses to notify government authorities and the individuals affected whenever a breach occurs.
Data security breaches are not just perpetrated by Internet hackers looking for credit card numbers. For example, health care providers are targeted for medical and insurance information, and educational institutions are targeted for financial aid and personal information about students, parents and alumni. According to the Report, the newest savory targets are professional services businesses (like accountants, financial advisors, and attorneys), which comprised about 20 percent of breaches in 2012, due to their generally low-level security and high value client financial and personal information.
Small and medium-sized businesses make easy targets because they routinely store valuable information on notoriously insecure mobile devices and laptops with inadequate security (lacking password protection or encryption), and routinely transmit information by non-encrypted email and engage in social media. According to the report, in 2012, about 30 percent of breaches resulted from theft or tampering with mobile devices and laptops, and about 20 percent occurred as a result of email phishing or social media hacking.
The Cost of Breaches
The cost of a data security breach can be surprisingly high. According to the 2013 Cost of Data Breach Study: Global Analysis conducted by Ponemon Institute, the average cost of a breach in 2013 for a United States business was more than $5.4 million per breach.
While that average includes the gigantic breaches at large companies, the study also reports that the cost of a domestic breach last year averaged about $190 per record. As such, a common breach at a small or medium-sized business of 500 to 1,000 records will typically cost the business $100,000 to $200,000, or more.
The costs inherent in a data security breach are often unforeseen by most businesses. These costs include direct expenses to investigate, provide notifications and remediate the breach, such as for legal counsel, computer forensic consultants, public relations specialists, credit monitoring services and price concessions. But direct expenses typically account for less than 40 percent of the total cost of a breach. The greater losses, which are often hidden to most businesses, arise from indirect costs, like diminished revenue and profits from lost customer business, and diminished employee productivity from time spent addressing the breach and its aftermath.
Reducing Risk
While no business can completely insulate itself from the risk of a data security breach, every business can and should take steps to reduce the likelihood of a breach. In fact, two states (Massachusetts and California) require businesses in those states—as well as businesses that have personal information about residents of those states—to become data security compliant by proactively implementing measures designed to avoid breaches. Likewise, several federal laws and regulations (such as HIPAA, the SEC rules and the Gramm Leech Bliley Act) require businesses in certain regulated industries to be data security compliant.
Becoming data security compliant, in general, involves:
• Conducting an audit to assess existing security measures and vulnerabilities;
• Designing and executing a plan and timeline to mitigate vulnerabilities;
• Preparing and implementing written data security policies and procedures;
• Appointing and training an employee or employees responsible for data security matters;
• Training all employees concerning security risks, policies and procedures;
• Periodically reassessing existing security measures and vulnerabilities.
Reducing Costs
Engaging in a data security compliance process will not only mitigate the risks of a breach, it can also reduce the costs if a breach occurs.
According to the Ponemon Institute study, the factors that most effectively reduced the costs of a breach are having in place a security structure to detect when a breach occurs, a written policy to respond to the breach, an employee trained and responsible for addressing a breach, and appropriate and timely notification to state or federal authorities and individuals affected by the breach.
This cost savings alone if a breach occurs, not to mention the larger costs saved if a breach is avoided, more than offsets the typical costs of becoming data security compliant.
No business ever expects to be the next media headline, and no businessperson thinks that this will happen to him or her, until it does. Take steps now to avoid a data security disaster.
Cameron Shilling is a shareholder and director at McLane, Graf, Raulerson & Middleton and chair of the firm’s Privacy and Data Security practice group. He can be reached at 603-628-1351 or cameron.shilling@mclane.com.