I recently had the pleasure to present at the Northern Kentucky School of Law and the College of Informatics Security Symposium. The topic of my discussion was an expansion on my recent blog on the Edward Snowden matter and what companies can learn about security breaches, specifically those that come from inside. As a recent report affirmed yet again, the greatest threat of security breach does not come from hackers or other external threats, but rather from people working inside an organization. In that same presentation, I used yet again a very tired, but accurate phrase when it comes to describing security breaches: “It’s not IF you have a security breach, but WHEN you have a security breach.” I’ve been saying that for over 10 years since my days as a corporate privacy officer. The words are never truer than they are today.
Indeed, we need look no further than Mr. Snowden and what one little thumb drive did to upend the business of not just the country and the NSA, but that of Snowden’s employer, Booz Allen Hamilton. As long as companies have information and employees, contractors or vendors, they will have data breaches. The question is what proactive and reactive solutions will they have in place to respond? My previous blog talks about some of the proactive things to consider, but businesses (after finally acknowledging that breaches will happen) also want to know what it is going to take to properly respond and move on from a breach.
As we work with clients to address data breach readiness on both sides of the breach, the biggest surprise or concern comes with the cost to the company in responding to the breach once it has occurred. First are the opportunity costs. Simply put, employees working on data breach issues are not working on filling orders, building products and taking care of customers, existing or new. Then there are the direct costs such as replacing servers, installing security systems, bringing in forensic experts or providing customers means to mitigate any harm resulting from your breach, such as credit monitoring services. This is all to say nothing of dealing with the legal and regulatory fallout that might apply depending on the information breached and any laws implicated. Companies can expend a great deal of money for legal fees, to pay fines and to comply with any orders issued by regulators.
The thought of these things and their price tag can be overwhelming. But, as I have shared on many a posting about privacy and security, it does not have to be. Planning in advance through good policies and procedures, risk assessments, training employees properly and auditing company compliance can go a long way to keep costs of the eventual breach to a minimum. Companies can also avail themselves of exceptional research tools, such as the annual NetDiligence 2013 Cyber Liability and Data Breach Insurance Claims Study, of which our firm is a proud sponsor. Resources such as this study can assist companies and attorneys, alike, in getting their mind around both the elements involved in a solid data breach response, as well as what to reasonably expect from a cost perspective. Knowing what you will need in advance to respond to a data breach provides your company leverage in securing those services and accounting for them in your budget before the storm arrives. As with any good business decision, having all the information possible to make good decisions is critical with a data breach response plan. The time to plan for your breach is now. Because it is not IF, but...