The financial repercussions of an information breach are staggering.
In response to the recent hacks in healthcare — at Anthem, Community Health Systems and Premera Blue Cross — as well as in retail — at Sony, Target and Home Depot — businesses are realizing information security risk management must be proactive and strategic, not reactive, according to CFO magazine.
Anthem, for instance, settled a case for $1.7 million in 2013 after HHS cited it for not completing a risk analysis on a new consumer portal, according to the report. The breach earlier this year affecting 80 million Americans will soon require Anthem to empty its $100 million cyber-insurance coverage solely on notifying and providing free identity theft monitoring to affected customers.
The cost per record in a data breach is approximately $200, according to Ponemon Research. This number doesn't include additional costs that are harder to calculate — such as reputational and consumer confidence effects, business distraction, class-action lawsuits and regulatory fines.
A more comprehensive breakdown of the various costs of a data breach is shown below, according to CFO magazine.
1. Investigation. A forensic team needs to investigate the circumstances of the breach, and what data was affected.
2. Remediation. Installing the safeguarding system that should have already been in place to prevent a breach is a significant cost.
3. Notification. In healthcare, any breach involving more than 500 patient records requires immediate notification to the affected individuals, federal regulators and the media, according to the report. This cost is one of largest. For Anthem, the cost of informing all of the affected patients by first class mail was $40 million. As more information becomes available, more mailing may be necessary.
4. Identity-theft repair and credit monitoring. These costs can range from $8 to $12 dollars per month per victim, and can last between one and two years, according to the report.
5. Regulatory fines. The minimum fine for a HIPAA violation involving willful neglect is $1.5 million, and typically multiple HIPAA violations are involved in data breaches.
6. Interrupted business operations. Since a significant amount of time, money and effort is diverted to resolve a data breach, a company's operations can be severely impacted. Many organizations elect to set up a call center or website to help answer victims' questions, but these require development and manpower as well.
7. Loss of business. Many companies struggle to retain customers after a data breach.
8. Class-action law suits. Three lawsuits were filed against Anthem within 24 hours after reporting the breach. According to the report, the asking price in healthcare data breach lawsuits is approximately $1,000 per victim.