In the past two years, there have been dozens of highly publicized data breaches, including recent ones at Community Health Systems, Anthem, and now Premera Blue Cross. Just from those three, hackers stole medical information and other data of 136 million Americans, some records dating back a decade.
And that’s just in health care. Add Target, Sony, and Home Depot to the list and we’re talking tens of millions more Americans affected.
When breaches of this size become almost commonplace in the retail, health care, and movie industries, many CFOs wonder: How vulnerable is my company? The simple answer is that if you don’t know your risks, you’re extraordinarily vulnerable — and the financial costs of a data breach can be staggering.
CFOs are realizing that information risk management needs to be approached from a strategic, proactive perspective — not in an ad hoc, reactive way.
If Anthem had done that two years ago, they might have avoided the recent mega-breach. The company had a wake-up call in 2013 when it was cited by Health and Human Services’ (HHS) regulators for not having completed a risk analysis after implementing a new consumer portal. It settled the case for $1.7 million. That’s a drop in the bucket compared with the costs of their 2015 breach involving 80 million people.
According to many media reports, Anthem will soon deplete its $100 million cyber-insurance coverage just to notify the victims and provide free identity-theft and credit monitoring.
Ponemon Research conducts annual studies on the cost of a data breach, which consistently hovers around $200 per record. But that number doesn’t include the hard-to-calculate costs like reputational repercussions, business distraction, class-action lawsuits, and regulatory fines.
Here’s a more complete breakdown of the kinds of costs associated with a data breach:
Investigation. A forensics team needs to determine how the system was compromised and what data was affected — and whether anything was deleted or deliberately altered. Then that team has to ensure that malware, if the culprit, isn’t still lurking somewhere in the system.
Remediation. This is the cost of putting in the controls or safeguards that should have already been put in place to avoid the breach.
Notification. The cost of this alone is daunting. In the health-care field, any breach involving more than 500 patient records requires immediate notification to the affected individuals, federal regulators, and the media.
Notification to individuals must be by first class mail unless the individual has agreed to electronic notice. At 49 cents per stamp, that’s a $40 million price tag for Anthem and that may not be all, since more than one mailing may be required as more information becomes available.
Identity-theft repair and credit monitoring. These costs can run anywhere between $8 and $12 per month per victim, and the term length can be either one or two years. While this attempt to reduce the probability of further unauthorized disclosure may provide some solace to the victims, it’s unlikely to prevent lawsuits.
Regulatory fines. Depending on the industry, fines and penalties can be quite steep. In the health-care field, for example, the minimum fine for a Health Insurance Portability and Accountability Act violation involving willful neglect is $1.5 million — and most data breaches involve multiple HIPAA violations. Even if the civil monetary penalty system isn’t invoked, HHS has secured settlements as high as $4.8 million.
Disruptions in normal business operations. Because many resources are diverted to clean up after a data breach, a company’s operational health can be adversely affected. Most organizations set up a call center to reduce the business distraction, and some will set up a website to keep victims informed, but the messaging needs to be developed, edited, and approved. And then there’s the communications and FAQs for employees, customers, the media, and stakeholders.
Lost business. Data breaches often cause customers to flee to a competitor and it’s difficult to calculate those costs. But here are some examples:
- A Ponemon study determined that the industries with the highest churn rate were pharmaceuticals, communications, and health care (all at 6%), followed by financial services (5%).
- A Symantec study documented industry “abnormal churn” rates following a breach, with the financial, communications, and health-care fields leading the pack with loss rates of 5.6%, 5.2%, and 4.2%, respectively.
The Sony brand didn’t lose its luster after this year’s highly publicized hack related to its film The Interview, but it completely lost the box office revenue from that movie, which could have totaled tens of millions.
Class-action lawsuits. What’s the probability of one? Three lawsuits were filed against Anthem less than 24 hours after the breach announcement. Target recently announced a $10 million proposal to settle a class-action lawsuit, offering up to $10,000 for any of the 110 million victims able to prove they were harmed by its breach.
The asking price in health-care data breach lawsuits has typically been in the $1,000 per victim range, but few have come to fruition due to the courts’ reluctance to confer standing on the potential of future harm — until now. In the Adobe Systems breach case, the U.S. District Court recently found that such potential future harm is sufficient to allow a putative class of plaintiffs to proceed in federal court. Stay tuned.
Here’s another thing that could cause CFOs to lose sleep: hackers only account for about six percent of health-care data breaches. The other 94% are caused by employee errors and transgressions: losing laptops containing unencrypted data, snooping into celebrity files, improperly disposing paper records, and so on. Those breaches don’t always have the magnitude of the Anthem hack, but they can still carry six-figure price tags.
The main takeaway here is that information risk management is much more than a technical or compliance issue. There needs to be a company-wide culture of information security and a formal program to assess and manage risks.
That’s why it’s important to conduct annual information risk analyses and use “maturity models” to see how your organization stacks up against industry benchmarks and best practices. Just by doing so, you can reduce the chances of a breach, save your company millions of dollars, and stay out of the headlines.
Mary Chaput is CFO of Clearwater Compliance in Nashville, Tennessee.