A data breach may cost you more than you think.
|By: David Ellis|
Director of Forensic Investigations
CISSP, QSA, PFI
Some organizations believe dealing with a data breach might be better than dealing with the difficulties of PCI and HIPAA compliance. Unfortunately, they don’t realize how much damage a data breach can inflict on a business.
Let’s take a look at some of the different costs your business could incur as a result of a data breach.
SEE ALSO: How Much Does PCI Compliance Cost?
Financial costsAfter a data breach, businesses could face multiple types of financial detriment, which may include:
- Merchant processor compromise fines: $5,000 – $50,000
- Forensic investigation: $12,000 – $100,000+
- Onsite QSA assessments following the breach: $20,000 – $100,000
- Free credit monitoring for affected individuals: $10-$30/card
- Card re-issuance penalties: $3 – $10 per card
- Breach notification costs: $2,000 – $5,000+
- Technology repairs: $2,000 - $10,000+
- Increased in monthly card processing fees: +
- Legal fees: +
- Civil judgments: +
Reputation costsIn addition to these expenses, you need to also consider the cost of damage to the reputation of your brand.
After a breach, many businesses have documented losing up to 40% of their revenue from customers losing confidence in their brand.Customers losing confidence in your brand will drastically impact your business. That’s a cost that your business may have to deal with even years after the data breach.
Health organization costsIf you’re running a healthcare entity, hopefully you’re aware of how valuable healthcare patient data is to hackers.
Today, patient records can be even more valuable than credit cards on the black market. While most credit cards sell for $2-$10 each, high quality patient data can fetch up to $200.
Just think of the grief that would create. If your organization was responsible for this type of havoc being wreaked against your clients, the ramifications—both for your reputation and civil recourse—may be catastrophic.
If your organization handles patient data, you may incur additional fees. These fees may include:
- HHS fines: up to $1.5 million/violation/year
- Implementation of new systems and processes: varies
- On-going credit monitoring for affected patients: $10/individual
- Federal Trade Commission fines: $16,000/violation (violation = per record)
- Class action lawsuits: $1,000/record
- State attorney generals: $150,000 – $6.8 million
- Patient loss: 40%
There’s also the recent ruling that allows the Federal Trade Commission to sue a hacked-company if they didn’t have proper security in place. The fact that more government organizations are getting involved in data security demonstrates how serious the government considers data breaches to be, and emphasizes the need to actively secure your company and client data.
SEE ALSO: Computer Security and The FTC: Suing Hacked Companies
Protecting your dataSome basic security practices you can follow include:
- Get compliant with financial/healthcare mandates: mandates like the PCI DSS and HIPAA cover a lot of basic security protocols you should be following.
- Segment your network: the more valuable the information, the more it should be separated from your day-to-day data
- Secure your remote access: use multiple layers of authenticating security
- Install security systems: implement multiple, robust firewalls and intrusion detection/prevention systems
- Conduct a thorough risk assessment: You can’t protect your data if you don’t know the risks your business has. Identify your valuable data targets and the threats against them
- Monitor your systems: Regular review of firewall and intrusion detection/prevention logs will show you threats that are hitting your systems
David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.