While our main focus is as a provider of IT compliance and security consulting services, we have been called in to help a few small businesses handle security incidents and data breaches. These calls come to us after the client has discovered there’s been a security incident or data breach and as a result is seeking to engage a security consulting firm for the first time.
In such cases, SystemExperts typically has to guide the client through the entire incident response process. Too often in these cases the client is not aware of its legal obligations regarding notifications and the triggers that determine what notifications must be performed. SystemExperts has found that in some cases, small companies are not fully aware of what laws, regulations, or contractual obligations are applicable prior to discovering the security incident.
In our experience, the impacts of a data breach vary wildly. Companies that have an existing security program and have an established security incident response policy and plan that they have previously tested suffer smaller impacts. Companies that have not prepared for a data breach in advance typically experience the greatest impact.
A data breach could cause the financial failure of a company, although no SystemExperts’ clients have suffered that consequence. Other impacts can include:
- System outages of several days as changes are made to prevent a reoccurrence
- Loss of business due to reputation damage
- Costs associated with notifying all impacted individuals
- Costs associated with compensating all impacted individuals
- Time, effort, and costs to contact the media and respond to inquiries from the media
- Time and effort to notify state or federal agencies
- Long term costs associated with new compliance requirements
- Costs associated with forensics investigation, if any
- Costs associated with resulting legal action, if any
Some data breaches may be the result of a fundamental design flaw in a company’s website or IT system. In such cases, it could take several days or even weeks to implement all of the changes necessary to prevent a reoccurrence of the data breach. In other cases, a company may be able to determine the root cause and long term fix in less than one business day. Companies that can address the remediation quickly usually already have a security program in place.
The costs of notifying all impacted individuals and the costs associated with compensating all impacted individuals can vary greatly. If the company has sufficient audit logs in place, or the assistance of a qualified computer forensics team, it might be possible to prove that only a small number of individuals are impacted by the breach. Note that cost of having a certified forensics team performing an investigation can be expensive. SystemExperts knows of one company that was able to demonstrate that a breach only impacted nine individuals out of thousands of customers without needing to engage a third party. Knowing that level of detail greatly reduced their costs and time required to perform the notifications. In other cases, a company may be forced to assume that every customer and employee has to be notified and potentially compensated.
When a breach occurs, some companies will simply refer the impacted individuals to free credit report agencies. In other cases a company may decide to reimburse impacted individuals for identity theft protect services or even the legal costs to recover stolen identities. Often that decision is based upon a desire to preserve the reputation of the company.
The costs associated with media are also highly variable. In some situations a company may engage a third party public relations firm to help draft statements and even launch a campaign in order to preserve the company’s reputation. There is also the time and effort required to educate all staff about what they should do if they receive a media inquiry.
A breach may also have a big impact on a company’s compliance costs. For example a small company that handles a small number of credit card transactions could end up being required to perform an annual PCI-DSS level one compliance assessment as a result of a breach. That level is usually reserved for companies that perform over a million transactions a year for an single card brand. The cost of a level one PCI-DSS assessment could drive some small business out of business.
Depending on the type of breach there may also be fines levied and legal costs. In March of 2016, Target’s annual report revealed that the cumulative expenses from its late-2013 breach totaled $291 million through fiscal 2015.
Companies that did not have a security and compliance program prior to a data breach often end up implementing a security and compliance program after experiencing a data breach. That is also long term, ongoing cost, but one that most companies find is worth the effort and expense once they have experienced the costs that a breach can entail.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.