What are the True Business Costs of a Data Leak?
There's no easy way to put a simple price tag on the cost of a data leak. Let's look at the types of business costs that might apply, depending on the leak.
14 October 2015
The answer to that question is "it depends." It depends on what data or information was leaked, who has potentially accessed it, how much data is involved, whether it's a regulated or protected class of data, what the recipient(hacker?) of that information is doing with the data, and more.
Let's look at the types of business costs that might apply, depending on the nature and extent of the leak.
- Loss of confidential or sensitive information: This is pretty much the very definition of a data leak. Someone else now has possession of or access to your data or information and can do anything they want with it. They can sell it on the black market, use it for their own benefit, or even use it to blackmail or embarrass you or your customers. The extent of this loss, and who now possesses your information, are pretty much going to determine the monetary costs of your data leak. Of course, if it's intellectual property that was lost, the impact could go way beyond monetary loss to the point of hurting your company's ability to compete.
- Non-compliance with a regulatory requirement: Most organizations have information that falls under the scope of government or industry regulation — such as HIPAA, GLBA, FERPA, PCI DSS, SOX. One thing these all have in common is the requirement to protect some type of sensitive information. It could be financial data, personal health information (PHI), personally identifiable information (PII), nonpublic personal information (NPI), student education records, export controlled research, or other types of regulated information. Each of these regulations defines the penalties and ramifications of exposing the data. Repercussions range from monetary fines; to civil or criminal prosecution, as in the case of GLBA; or, for violations of PCI DSS, to increased scrutiny of computer systems, potential suspension or expulsion from card processing networks, and liability for fraud and associated charges.
- Customer notifications and credit monitoring: Not every leak will trigger the need for expensive notifications and ongoing credit monitoring. The consequent actions will largely be determined by the regulatory requirements that govern the compromised data. Most states require that the state attorney general as well as customers be notified if their personal or financial information might have been compromised. In addition, you might be required to provide up to a year’s worth of credit monitoring services to customers affected by your data loss.
- Brand damage: Any organization that suffers a public data leak is susceptible to loss of customer confidence and brand damage. Who wants to do business with a company that can't or doesn't protect the data in its care? In a 2011 Ponemon Institute study measuring the loss of business reputation after a data breach, 76% of the executives whose companies had experienced a customer data breach said the event had a significant or moderate impact on the business’s reputation. What’s more, it can take a year or longer to restore reputation and brand image after a breach.
- Loss of market capitalization: Closely related to brand damage, a data leak can have a material impact on your company's stock value as investors lose confidence. For instance, following the Target Corporation breach in 2013, the Wall Street Journal reported the company's shares dropped significantly after the breach was announced.
- Forensic analysis of your computer systems: Unless you can quickly and specifically pinpoint the cause of your data leak — for example, an errant email that sends unencrypted regulated data to a large distribution list — you might be required to, or at least want to, hire a professional forensic investigation team to thoroughly evaluate your systems to determine the cause of the breach.
- Replacement, repair or buttressing of compromised systems: Depending on what the forensic team turns up, you might have to spend time and money to plug the holes and put safeguards in place to reduce the likelihood of another incident.
There's no easy way to put a simple price tag on the cost of a data leak. Expenses can mount quickly and go on for years.
Many organizations believe they are spending a lot on prevention, however, ‘prevention’ today is most often thought of as tools that prevent hackers from getting in, and not necessarily data leaking out. The importance of addressing both is significant. Secure enterprise collaboration tools can help the latter. This is certainly a time to respect and observe the old idiom: An ounce of prevention is worth a pound of cure.
Daren Glenister is the Field CTO for Intralinks. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product road map and the evolving secure collaboration market. Daren brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions.