Q: How can I convince my company’s higher-ups to make data security more of a priority for the company?
A: We get this question all the time. One reason is that the monetary penalties available under many of the data security statutes in the United States and in other jurisdictions are often not high enough to deter a company from being lax in its data security measures, and, on the civil side, courts have been reluctant to award damages to plaintiffs unless they actually suffer identity theft as a result of data being compromised while in the care of the defendant (which often is difficult to prove).
However, there are other types of costs and liabilities that follow a data security breach that may catch the attention of a company’s superiors. For example, where payment card data was compromised, a merchant may have to pay fines to its merchant bank, compensate the card-issuing bank for its costs to reissue new cards and pay unauthorized charges, and may even suffer increased card payment transaction fees or, at worst, lose its ability to accept payment cards as a form of payment. Additionally, when any type of sensitive data has been compromised, a company often has to pay for forensics consultants to help determine the scope of the incident, outside lawyers to assist in compliance with breach notification laws, mail houses to send notifications to affected individuals, call centers to receive incoming calls about the incident, and credit monitoring services for the individuals whose data was compromised. And if litigation ensues, legal costs accrue even if the company is ultimately successful in its defense.
To help companies understand the actual costs that typically follow a data security breach, Ponemon Institute conducts an annual study surveying companies that have suffered such incidents regarding the costs they suffered as a result. This past week, Ponemon Institute announced their publication of the results of their fifth annual study on the costs of data breaches for U.S.-based companies. (A similar report for U.K.-based companies also was released.) Ponemon’s study not only covers tangible expenses, but also losses that are more difficult to measure, such as loss of business due to reputational harm.
Proskauer’s own Natalie Newman, one of our “breach responders” who assists companies that have suffered a data security incident, recently blogged about Ponemon Institute’s newly released study, including the average cost per compromised record as well as the range of aggregate breach costs among the companies surveyed. We often refer clients to Ponemon Institute’s annual study for statistical data that can be used by a company to make an informed risk management decision about prioritizing data security.