Inside the Costs of Data Breaches for Small Businesses
According to research conducted by Trustwave, 90% of data breaches impact small businesses. Moreover, when a breach occurs it kicks off a series of unavoidable and costly actions that range from forensic analysis to mandatory reporting requirements – expenses that can be addressed by a properly designed Cyber Liability insurance policy. Here we take a look inside some of these expenses.
- Forensic examination – A business that suspects a breach will undergo a forensic examination to determine if the breach has actually occurred and, if so, to what extent. The firm will need to hire an outside examiner to conduct the investigation, which may last from days to weeks. This examination may require shutting down the company’s network, depending on the type of business. According to Verizon Business, a small business examination may run in the range of $20,000 to $50,000.
- Customer notification – The majority of states require that customers, and in many cases the state attorney general, be notified if financial information is suspected of being compromised in a data breach. In the case of healthcare facilities, the Office for Civil Rights (OCR) requires healthcare providers and other Health Insurance Portability and Accountability Act (HIPAA) covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Depending on the number of customers and/or patients and their locations, the process of sending notifications may cost thousands of dollars.
- Credit monitoring for affected customers – A company may be required to provide up to a year’s worth of credit monitoring and/or counseling services to customers affected by a breach.
- Penalty and fines – Depending on the industry, there may be penalties and fines for non-compliance when a breach occurred. For example, merchants must be able to demonstrate PCI compliance within their stores across all IT systems that store, transmit, or track credit card data. This generally includes POS and back-office systems. Failure to comply with PCI requirements can result in penalties or sanctions from members of the payment card industry. In addition to PCI, there are several states with PCI-related legislation. Fines for small merchants can range from $5,000 to $50,000 or more.
Healthcare providers and organizations failing to respond promptly yet accurately to a healthcare data breach are subject to potential fines and penalties under the Health Insurance Portability and Accountability Act of 1996 and its associated regulations (HIPAA), under the HIPAA Omnibus Final Rule, which expanded HIPAA’s privacy protections and enhanced the enforcement capabilities of the OCR.
- Crisis management – In the wake of a breach, damage to the trusting relationship between businesses and customers/patients may result. Hiring a PR or crisis firm to undertake a campaign to regain that trust will be needed.
- Liability claims – A client/patient or third party can bring both direct claims and cross-claims for indemnification against the business or organization for damages incurred as a result of the breach exposure. This involves legal defense costs and any indemnification if found liable on the part of the business.
Caitlin Morgan provides Cyber Liability insurance solutions for a broad range of industries with access to leading insurers that have developed products designed to respond to this threat. We can assist you in securing a Cyber policy that fits your client’s risk profile. Give us a call at 877.226.1027.