Contingencies Online - July/August 2012

FIGURE 1

Privacy Rights Clearinghouse 2008–2011 Reported Data Breach Incidents Frequency/Severity Ranking (Most to Least)

Data
Breach
Incidents
Reported

Avg
Records
Breached

15

Entity Type
Educational Institutions
Health Care—Medical
Providers
Government and Military
Businesses—Other
Businesses—Financial and
Insurance Services
Businesses—Retail/Merchant
Nonprofit Organizations
Source: Privacy Rights Clearinghouse

2

3

3 4

4 2

5

1

6 7

7 6

FIGURE 2

Privacy Rights Clearinghouse 2008–2011 Reported Data Breach Incidents Frequency/Severity Ranking (Most to Least)

Data
Breach
Incidents
Reported

Avg
Records
Breached

1

2

3

4

5

6

7

8

Cause of Breach
Portable Device
Unintended Disclosure
Hacking or Malware
Insider
Physical Loss
Stationary Device
Unknown or Other
Payment Card Fraud
Source: Privacy Rights Clearinghouse

2

6

3

1

7

4

5

8

The Cost of Protection

Although the acts of negligent employees and contractors are the most common cause of a data breach, studies have shown that malicious attacks by cyber criminals are the most costly.

According to the Ponemon Institute, the average cost per compromised record as the result of a malicious attack is 28 percent higher than the average cost resulting from insider negligence. Ponemon research also indicates that the total cost of a data breach is directly related to the number of compromised records. In its 2011 study, Ponemon categorized the direct and indirect costs of a data breach (see Figure 3). The direct costs stem both from an organization’s efforts to secure private and proprietary data it has collected during the course of daily

20 CONTINGENCIES JUL | AUG. 12

activities and expenses incurred in responding to the breach. Direct costs aimed at preventing a data breach can include:

■ ■ Evaluating and upgrading the security system;

■ ■ Developing emergency response processes;

■ ■ Arranging information system structures in a modular format to protect the most sensitive data elements;

■ ■ Building redundant systems to serve as backup in the event of a failure.

Once a data breach has occurred, direct costs can include expenses related to detection and repair of the breach, notification of affected parties, and ongoing efforts to prevent future damages. Ad hoc, uncoordinated efforts to remediate a data breach result in significantly higher costs compared with a planned response that includes contracting with third-party experts to manage the process, particularly in navigating regulatory compliance and in privacy notifications. (As a goad to those organizations wavering in their commitment to data security, Ponemon reports a straight correlation between the existence of a chief information security officer on staff and lower costs in the wake of a data breach.)

Although the direct costs from a data breach can run in the millions of dollars, indirect costs can outpace them by almost 2-to- 1. The Ponemon Institute estimates indirect costs related to reputational damage that cause a loss of current and future business can amount to more than 60 percent of the overall cost of a data breach. For 188 data breach events the institute surveyed between 2008 and 2011, the average cost of lost business due to the breach more than $4.1 million.

With those kinds of statistics, it’s surprising that companies and executives continue to show contradictory behavior when it comes to taking cyber risk seriously. But they do. In 2011, pollsters for the PricewaterhouseCoopers Global State of Information Security Survey contacted more than 12,000 chief executive officers, chief information officers, and chief security officers worldwide, as well as vice presidents and directors in IT and information security, to see if their organizations had insurance policies to protect them from theft or misuse of electronic data, consumer records, and the like. Some 46 percent responded yes, while 17 percent indicated that their firms had submitted claims on those policies and 13 percent said they had collected on those claims. At the same time, however, management consulting firm Towers Watson, as part of its 2011 Risk and Finance Manager Survey, found that 73 percent of the 164 risk managers it contacted worked at companies that hadn’t purchased network liability policies. In addition, 37 percent of those whose companies hadn’t purchased network liability policies said they believed their internal IT departments and controls were adequate, while 15 percent more said either that the cost of a policy was too high or that they weren’t overly concerned about the risk.