A data breach may cost you more than you think.

By: David Ellis
Director of Forensic Investigations
CISSP, QSA, PFI
Did you know that today, we’ve seen businesses pay up to $4 million after a data breach? And those costs seem to only be rising. The longer businesses take to secure their card data, the higher those costs will be.

Some organizations believe dealing with a data breach might be better than dealing with the difficulties of PCI and HIPAA compliance. Unfortunately, they don’t realize how much damage a data breach can inflict on a business.

Let’s take a look at some of the different costs your business could incur as a result of a data breach.

SEE ALSO: How Much Does PCI Compliance Cost?

Financial costs

After a data breach, businesses could face multiple types of financial detriment, which may include:
    how much does a data breach cost
  • Merchant processor compromise fines: $5,000 – $50,000
  • Forensic investigation: $12,000 – $100,000+
  • Onsite QSA assessments following the breach: $20,000 – $100,000
  • Free credit monitoring for affected individuals: $10-$30/card
  • Card re-issuance penalties: $3 – $10 per card
  • Breach notification costs: $2,000 – $5,000+
  • Technology repairs: $2,000 - $10,000+
  • Increased in monthly card processing fees: +
  • Legal fees: +
  • Civil judgments: +

Reputation costs

In addition to these expenses, you need to also consider the cost of damage to the reputation of your brand.
After a breach, many businesses have documented losing up to 40% of their revenue from customers losing confidence in their brand.
Customers losing confidence in your brand will drastically impact your business. That’s a cost that your business may have to deal with even years after the data breach.

Health organization costs

If you’re running a healthcare entity, hopefully you’re aware of how valuable healthcare patient data is to hackers.

Today, patient records can be even more valuable than credit cards on the black market.  While most credit cards sell for $2-$10 each, high quality patient data can fetch up to $200.
Patient data is also harder to replace or repair. If a consumer’s credit card data is stolen, replacing your card isn’t difficult and the impact is minimal since your personal money was not at risk—the hacker is actually stealing from the credit card company. But if your name, date of birth, and social security number are stolen and used to create a false identity, make purchases, and take out loans, it’s more difficult to repair the damage.  You’ll need to go to banks and credit bureaus to erase those actions against your personal credit profile, and you’ll have to deal with the government regarding your stolen Social Security Number—which could require you to get a new SSN.

Just think of the grief that would create.  If your organization was responsible for this type of havoc being wreaked against your clients, the ramifications—both for your reputation and civil recourse—may be catastrophic.

If your organization handles patient data, you may incur additional fees. These fees may include:
  • HHS fines: up to $1.5 million/violation/year
  • Implementation of new systems and processes: varies
  • On-going credit monitoring for affected patients: $10/individual
  • Federal Trade Commission fines: $16,000/violation (violation = per record)
  • Class action lawsuits: $1,000/record
  • State attorney generals: $150,000 – $6.8 million
  • Patient loss: 40%
SEE ALSO: How Much Does HIPAA Compliance Cost?

cost of a data breach Legal costs

With data breaches come the inevitable lawsuits, especially if it’s proven that the business didn’t take the necessary precautions to secure their data. Lawyer fees can add up quickly, ranging from $5,000 to well over six figures.

There’s also the recent ruling that allows the Federal Trade Commission to sue a hacked-company if they didn’t have proper security in place. The fact that more government organizations are getting involved in data security demonstrates how serious the government considers data breaches to be, and emphasizes the need to actively secure your company and client data.

SEE ALSO: Computer Security and The FTC: Suing Hacked Companies

Protecting your data

Some basic security practices you can follow include:
  • Get compliant with financial/healthcare mandates: mandates like the PCI DSS and HIPAA cover a lot of basic security protocols you should be following.
  • Segment your network: the more valuable the information, the more it should be separated from your day-to-day data
  • Secure your remote access: use multiple layers of authenticating security
  • Install security systems: implement multiple, robust firewalls and intrusion detection/prevention systems
  • Conduct a thorough risk assessment: You can’t protect your data if you don’t know the risks your business has. Identify your valuable data targets and the threats against them
  • Monitor your systems:  Regular review of firewall and intrusion detection/prevention logs will show you threats that are hitting your systems
 SEE ALSO: 3 Data Security Best Practices

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

SecurityMetrics' Guide to PCI DSS Compliance