One of the major issues facing individuals and companies today is the growing risk of cyber crimes. The internet has shrunk our world by allowing businesses and people to communicate instantly across the globe.  This dynamic has changed the face of business and commerce in dramatic and still changing ways.  However, with this convenience comes the downside that millions of records are transferred between computers across the globe daily.  All of that information has some value and is therefore a target for theft.            

For individuals, cyber crimes often mean a call from your credit card company’s fraud detection unit or a notice that your credit score has changed.  The impact can be as minor as disputing a few charges and receiving a new credit card to having to untangle your personal information from someone who has stolen your identity before you have any chance of opening a bank account or getting a loan.  The costs and time spent fixing these problems are a substantial loss for many people, but this cost grows dramatically when the larger picture is considered and can be a massive financial loss for organizations facing a data breach.

Impact of Data Breach and other Cyber Attacks

Over the last decade, it is estimated that over 600 million records have been compromised just in the United States of America.  The Ponemon Institute, in a 2010 study, concluded that the average compromised record costs a company an average of $214.  In addition to data breach, organizations face numerous other types of attacks including denial-of-service and web-based attacks.

In 2013, organizations experienced an average of 122 successful cyber attacks per week, with each attack costing an average of a little over $1 million and taking 32 days to repair.  The end result is that the costs in responding to and attempting to prevent cyber crimes is estimated to be costing the United States economy $100 billion per year and the global impact is estimated at $300 billion per year.  Even more troubling is that these numbers have grown each year.

The recent news regarding the Heartbleed bug portends even more costs in 2014.  The Heartbleed bug is the newly discovered vulnerability in the encryption, OpenSSL, used by an estimated 500,000 websites.  This bug effectively allowed hackers access to user’s sensitive personal data, including usernames, passwords, and credit card information.  In addition, it was possible for an attacker to obtain encrypted internal documents from servers by using the digital keys obtained through the Heartland bug.  At this time, it is unknown how much data was impacted because exploiting this bug does not leave a log of abnormal activity.

While Heartbleed has exposed the vulnerability in OpenSSL, even companies that have the resources to use proprietary encryption have been found to be vulnerable.  Two of the most famous examples of a highly sophisticated company suffering substantial data theft are Sony and Target.  Both of these companies had sophisticated security in place, but hackers found ways to access computers that, in turn, had access to the sensitive information.  In addition to hacking, physical theft of hard drives or backup tapes that were then hacked into has also resulted in data breach.

Because of these varied means to obtain data, companies will often not be aware of a data breach quickly.  In fact, it is estimated that 30-40% of all data breaches are the result of inadvertence or negligence and not an attack that may be detected.  Also, as the Heartbleed bug demonstrates, some attacks work within the architecture of the systems allowing the attacks to go undetected.  As such, there is no perfect shield or policy in place to prevent data breach.  Nonetheless, companies can and should take steps to prevent data breach.

Responding to a Data Breach

A familiar saying to many people is that the cover up is often worse than the crime.  With data breach, the cover up will often be the crime.  Forty six states and the federal government currently have laws requiring some form of notification following the compromising of personally identifiable information.  The notification period can be quite stringent, including as little as seven days in some states.  In addition, what constitutes personally identifiable information is also different from state to state, including such expected things as social security and credit card numbers but also a person’s ZIP code in California.

Under the typical state statute, the duty to notify applies whenever there has been an unauthorized access of a system where: computerized data was acquired; that materially compromises the security or confidentiality of personal identifiable information maintained by the entity; as part of a database of personal identifiable information about multiple individuals; and that causes or that the entity reasonably believes has caused or will cause loss or injury to an individual.

These notification requirements can be very difficult on organizations.  First off, many organizations may not even be aware of a data breach until substantial time has passed or the extent of the data breach and may not have a plan in place on what to do when it is discovered.  A recent study shows that 77 percent of small businesses do not have a formal written policy on data security for employees to utilize and, of those without, 49 percent do not even have informal policies.  In these circumstances, even when a data breach is uncovered, time may be lost trying to determine what to do and who to contact and that time may result in fines or worse for that organization.

Second, many organizations will want to investigate and be able to provide a full accounting of the data before informing people of the data breach.  When Sony reported its data breach, it provided a cryptic statement that it did not believe credit card numbers were obtained, but that it was possible.  This statement was not helpful for Sony’s public relations, but was likely necessary under various laws, because the full extent of the data breach was unknown.

Organizations of any size that have any online presence should be aware of the local laws and have a formal plan addressing both the investigation and notification after a data breach.  Investigation includes understanding the techniques to identify quickly when a breach occurred and be able to determine the extent of the breach.  In addition, companies should be quick to investigate any claims by customers or other individuals of a data breach.  A customer service representative who fails to pass on a complaint could constitute a reasonable belief of a breach and expose a company to severe fines.

Notification includes having the procedures in place to notify potential victims quickly and to offer services to the potential victims.  Unfortunately, data breaches are a part of the modern technological world and companies need to be ready to respond effectively to any data breach.

Consequences of a Data Breach

No organization is really immune from the risk of a cyber attack.  While the larger targets get more attention and news, many smaller and mid-size companies have also suffered cyber attacks.  Recent studies have shown that over 72 percent of all data breaches occurred in small-to-medium sized businesses.  In 2013, the average annualized cost of a cyber attack was $11.56 million per organization.  For smaller or mid-sized companies, the per-capita cost of such an attack is substantially higher than larger organizations who can better absorb the costs. 

The reason these costs are substantial and have a broad range is because the expenses incurred can come from many different places.  For example, here are some likely expenses a company who has fallen victim to a cyber attack can potentially incur:

·         lawsuits by third-parties;

·         breach of contract lawsuits;

·         regulatory fines and penalties;

·         notification costs;

·         investigation costs;

·         data restoration and business interruption costs;

·         costs to improve/repair online security; and

·         public relations costs. 

Cyber Liability Insurance

Companies of all sizes should be aware of their risk to cyber attacks and consider what insurance will indemnify them.  The first consideration is that cyber attacks often involve first party and third party coverages – the company will suffer direct harm to its property and face litigation from third parties harmed by the company’s alleged negligence or breach of contract.

First party coverage also comes from property policies, but it is common for the definition of property to specifically exclude data.  In such a case, an organization hit by a data breach may be left without insurance for the loss of the data, the business interruption, and the extra expenses. 

Companies that maintain databases with personal information need to make sure they have insurance to cover losses that stem from data breach.  Several insurance products exist, but several pitfalls exist that may prevent full coverage.