An overriding concern today for any business that collects customers’ personal information should be the security of that information. For the modern business, a data breach will mean bad publicity, loss of customers, and, perhaps, overwhelming costs.
A 2010 study found the average cost to a company of a data security breach is $7.2 million, or, an average of $214 per compromised customer record. How many customer records are secured on your systems? And how confident are you in that security?
More troublingly, those estimates include only the direct costs of a response to a data security breach, e.g., repairs and upgrades to your IT infrastructure, and hiring of outside vendors and lawyers to assist in the investigation and response. But these direct costs pale in comparison to potential damage to the reputation of your business, in terms of customer trust and brand loyalty. An identity theft victim spends an average of nearly 100 hours to resolve problems caused by a breach. How likely is that customer to return to your business knowing you failed to safeguard their information?
Criminals have plenty of incentive to steal your customers’ information: on the internet black market, credit card or bank account numbers can be sold for $30 each, or more if accompanied by expiration dates, zip codes, and other authenticating information. Social security numbers can fetch $25 or more. Even e-mail addresses, alone, can be sold in bulk for significant sums. Hackers may be motivated by more than just money: in 2010, hackers accessed the personal information of 170,000 employees of Royal Dutch Shell and, for political reasons, shared the information with Greenpeace and other environmental activist groups.
Unauthorized access to your systems can have a huge impact on your bottom line. In 2007, hackers stole the records of 45 million customers of the TJX Companies (owners of the T.J. Maxx retail chain). The company’s subsequent SEC filings disclosed more than $200 million in costs as a result of the breach; some industry analysts have estimated the company’s total losses (including harm to its brand) at more than $1 billion.
How can you prepare for or avoid the theft of customer information from your business? This article outlines a few basic tips:
Devise and implement a data security policy. If you accept customers’ credit card information, you are required to have such a policy by the Payment Card Industry Data Security Standards. That policy should govern how your network is built and maintained, and require periodic testing for vulnerabilities. Even if you do not take credit card transactions, you should have an equal level of security for customers’ private information, such as mailing addresses, social security numbers, and email addresses.
Separately, prepare a policy for response to a data security breach. Pennsylvania’s Data Breach Notification Law requires disclosures of breaches to affected customers, and imposes liability on companies that fail to make such disclosures. Federal laws imposing greater penalties may be forthcoming. Your IT department and your legal team should work together to develop a plan to ensure an effective response to a breach, large or small, that will limit the scope of the breach and otherwise protect you from liability.
Get rid of outdated (paper and electronic) records. If you are retaining more than the current records your business needs to operate or legally is required to retain, you are greatly increasing the risk of a sizeable breach. McNees can help you develop a records storage plan that will minimize such risk while ensuring compliance with Gramm-Leach-Bliley, HIPAA, and other relevant laws.Carefully dispose of old electronic equipment, and govern your employees’ use of portable devices and storage media. A growing number of breach cases stem not from hacking, but from a company’s loss or haphazard disposal of outdated, but un-scrubbed, hard drives, flash drives, laptops, and other devices.
Do you use third party vendors? Do those vendors have access
to your systems, or do you otherwise entrust them with your customers’ personal information? If so, you should include risk transfer and indemnification provisions in your contracts with those vendors. This will provide you with an additional layer of protection should that vendor fail to safeguard your information (or if their unscrupulous employee misuses or sells your data).
Consider data breach insurance. Electing for security and privacy liability endorsements on your policy could protect you from liability to customers and other third parties, as well as pay attorney’s fees and other internal and external costs in case of a breach. McNees can review your policies and evaluate your coverage for these potential costs.
With careful forethought, the risks of a data breach can be minimized or avoided. We invite you to consult with us regarding your plan to prevent or respond to this continuously evolving threat to your business and customers.
Devin is a Member of the McNees Litigation group, and has handled litigation involving companies with large-scale data security breaches. He defends companies in litigation and investigations arising from the loss or theft of personal information, and counsels them on how to avoid and respond to such events.