Cyber Security: Cost of Data Breaches, PCI Court Challenge, Role of Cyber Insurance and Cyber Attack Update

The Cost of Data Breaches to US Companies

ponemonAt present, every U.S. state has a data breach notification law except for Alabama, Kentucky, New Mexico and South Dakota.  A Ponemon Institute study found that:

  • in 2012 data breaches cost companies $188 per record compromised or $5.4 million on average;
  • A plurality of the breaches (41 percent) were due to malicious or criminal attacks, followed by employee negligence (33%) and system glitches (26%);
  • On average, the breach costs businesses $3.03 million in lost business (other reports have found that 60% of small businesses fold within six months of a data breach);
  • If the organization has a formal incident response plan in place prior to the incident, the average cost of a data breach was reduced as much as $42 per compromised record. In addition, a strong security posture and the appointment of a CISO saved as much as $34 and $23, respectively. Finally engaging an outside consultants to assist with the breach response also saved as much as $13 per record. Hence, when considering the average number of records lost or stolen, all of these factors can provide significant and positive financial benefits.

A Carnegie Mellon study found that providing free credit monitoring services can reduce the risk of a lawsuit by 83%.  An important consideration given that AOL just agreed to pay $6 million to settle a data breach class action.

Despite the high cost of data breach, a Symantec survey of small businesses found:

  • Eighty-seven percent of SMBs do not have a formal written Internet security policy for employees while 69 percent do not have even an informal Internet security policy for employees.
  •  Fifty-nine percent of small business owners/operators say they do not have a contingency plan outlining procedures for responding and reporting a data breach loss such as: loss of customer or employee information; loss of credit or debit card information; or loss of intellectual property; 31 percent say they do have a contingency plan to handle such challenges.

PCI Penalty Regime Subject of Court Challenge

MasterCard, Visa and Discover require merchants to adhere to the Payment Card Industry (PCI) Data Security Standard.  As part of their merchant contracts, the credit card companies can assess substantial penalties and fees for “violations” or even to confirm the absence of a violation – all without any appeal or recourse.  After Genesco, which operates retail stores such as Johnston & Murphys, suffered a data breach of its computer system in 2010, MasterCard assessed a $2.2 million penalty, while Visa assessed $13.3 million, contending that Genesco was not PCI compliant.  Genesco contends it was compliant and that there is no evidence hackers actually stole any credit card data.  Genesco has filed suit to recover the $13.3 million, while Ciseros, a Utah bar and grille, is challenging the imposition of similar penalties without any evidence of a breach.  Industry observers note that the “dirty little secret” of the whole PCI compliance regime is that it is a huge revenue stream for the credit card companies, who under their contracts are free to act as prosecutor, judge and jury in assessing the fines.  It is uncertain whether either action will succeed but retailers are hoping that it could lead to the creation of some independent body to oversee the process of imposing fines.

The Role of Cyber Insurance in Maintaining Cyber Security

While the Cyber Insurance industry has grown to a $1.5 billion industry, it remains an under utilized tool.  The Obama Administration recently circulated a white paper on ways to increase adoption of cyber insurance as a way to increase market incentives for increased cyber security.  As the paper explained, cyber insurance is:

an effective, market-driven way of increasing cybersecurity’ because it may help reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures; encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection; and limiting the level of losses that companies face following a cyber attack. Many companies nevertheless forego cybersecurity insurance altogether. They cite its perceived high cost, a lack of awareness about what it covers, and uncertainty that they’ll suffer a cyber attack as just some reasons for their decision.

The white paper recommended bolstering the market for cyber insurance by requiring it of government contractors and limiting cyber incident liability for companies that follow certain best practices.

The insurance industry is trying to boost awareness of cyber security, with AIG recently releasing an a mobile app that provides alerts on data breaches.

Stan Stahl, President of the Information Systems Security Association (Los Angeles Chapter) and Matt Carlson of Risk Strategies discussed the state of Cyber Security and Cyber Insurance on a recent Cyber Law & Business Report.

Podcast: Play in new window | Download (51.2MB)