FindLaw columnist Eric Sinrod writes regularly in this section on legal developments surrounding technology and the internet.
A recent study relating to data security breaches in the United States shows that total per-incident costs are substantial. The average total per-incident costs in 2009 were $6.75 million, comprised of an average cost of $204 per customer with a jeopardized record. Breaches included within the survey varied from 5,000 records to more than 101,000 records from 15 different industry sectors. The most expensive data breach within the ambit of the study cost almost a whopping $31 million dollars to resolve.
PGP Corporation, an enterprise data protection company, and the Poneman Institute, a privacy and information management research firm, as part of their fifth annual U.S. Cost of a Data Breach Study, tracked a wide array of cost elements. These elements included outlays for detection, escalation, notification, and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs related to customer support like information hotlines and credit monitoring subscriptions. The study analyzed companies from 15 different industries. These industries included the financial, retail, healthcare, services, education, technology, manufacturing, transportation, consumer, hotels and leisure, entertainment, marketing, pharmaceutical, communications, research, energy and defense industries.
In addition to total per-incident costs, the study brings to light some important findings. For example, data breaches caused by malicious attacks and botnets were on the high end of severity and cost responses. These types of breaches doubled from 2008 to 2009.
Interestingly, it appears that negligent insider breaches have decreased in frequency and associated cost. This is probably because of employee awareness about the need to protect personal information. Employees are being taught by training programs about data security breaches. Plus, 58% of the respondents have implemented the use of encryption protection, up from 44% the year before, according to the study.
Nevertheless, data breaches involving data outsourced to third-parties, especially those offshore, remain very costly. This is because of additional investigation and consulting fees. Data breaches caused by lost, missing or stolen laptops tend to be more costly than other incidents. Breaches experienced by "first-timers" are more expensive than those encountered by companies that have learned to grapple with prior breaches.
The study shows that companies are spending more on legal defense costs in the area of data security breaches. This has been attributed to fears of potential class actions, and other lawsuits resulting from consumer and employee data loss. In fact, companies that engage outside expertise to assist them during a data breach incident tended to have a lower $170 cost per victim than companies that do not seek outside help at $231 per victim.
Furthermore, companies that have a Chief Information Security Officer (CISO) or equivalent high-level security/privacy leader in place who manages data security breach incidents experienced a 50% less per cost of compromised record than companies that do not have such leadership.
Somewhat surprisingly, the study indicates that companies that notify victims of data breaches too quickly may incur about 12% higher response costs. The study suggests that moving too quickly through the data breach process could cause inefficiencies that raise total costs. Still, companies need to be mindful of legal and public relations responsibilities and concerns in deciding the proper timing of these response phases.
The authors of the study properly suggest certain technology solutions designed to assist in preventing data breaches on the front-end. These solutions include encryption (whole disk encryption and also for mobile devices/smart phones), data loss prevention (DLP) solutions, identity and access management solutions, and endpoint security solutions and other anti-malware tools.
Companies should also establish an organizational structure that enables the CISO or other security and privacy officers to take the lead and work to ensure that the detection and notification processes are managed correctly.
The authors conclude that when in doubt about requirements (which can be common), companies should seek the advice and direction of outside legal counsel and experts in order to try and make the notification process compliant with the various state data breach notification laws, and well as applicable federal requirements.
At the end of the day, while the press may not be reporting as much on data breaches as in the past, these breaches certainly are not going away. They must be handled proactively.
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP (http://www.duanemorris.com) where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Web site is http://www.sinrodlaw.com and he can be reached at email@example.com. To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line.
This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.
- Heartbreak over Heartland: Why Prosecution for Data Breaches Isn't Enough (FindLaw)
- Personal Data, an Email Error & Security Breach Notification Laws (FindLaw's Common Law Blog)
- Credit Card Data and Encryption: Big Holes in Protection (FindLaw's Common Law Blog)