As an IT consultant, tech contractor, or programmer, you usually focus on security from the technical perspective, so it's easy to forget that it can have a real effect on a company's bottom line. Case in point, Businessweek reports that Target's profits are down 12 percent this year following its massive 2013 data breach.
The cost of a data breach can be felt in many areas, not just lost profits and diminished revenue. There are lawsuit costs, PR expenses, and the cost to investigate and fix the faulty IT infrastructure that led to the breach.
In other words, there's a "hangover" effect that happens after a data breach. The initial breach is devastating, but it's the lingering consequences that can affect small-business owners – and ultimately put them out of business.
What Happens after a Data Breach?
To understand the costs and long-term effects of data breaches, it's important to remember that a breach isn't just a single event. In the immediate weeks and months after a breach, a small business will have many legal responsibilities to meet in addition to the work it has to do to rebuild customer trust.
Though a number of data breach laws have been proposed, there is no single law that determines what a business needs to do after a breach. Unfortunately, this means there are actually many laws business owners must know. Currently 46 states have data breach laws, each slightly different than the other.
Usually, these laws require small businesses to respond to a data breach with some combination of the following:
- An alert sent to affected customers.
- A notice filed with state attorney general and / or consumer rights groups.
- Credit monitoring services offered to customers (in the case of large data breaches).
These responsibilities are only the beginning of a data breach response. Many companies have to set up call centers or other ways for customers to receive more information or file security complaints.
Then there are the lawsuits. It only took days for the first lawsuit to be filed against Target. To make matters worse, the trend has been to punish companies more severely for data breaches. Recently, a judge ruled that consumers could sue businesses, even if their stolen data didn't lead to an actual case of identity theft. (See our report "$3 Million Settlement Paves the Way for Non-Identity-Theft Data Breach Awards.”)
How Does a Data Breach Affect a Business’s Profits?
As we saw, Target's profits have fallen by 12 percent after its December data breach. These effects can be even more devastating for a small business working with a tighter budget.
Say you lose more than 10 percent of your profits: you might start wondering where your rent or mortgage payments will come from
For many small businesses, their business is based on reputation and networking – especially in the early stages of development. When a data breach (or other PR disaster) occurs, the network of clients and referrals they worked so hard to cultivate could fall apart, and unlike Target, small businesses don't have the resources to spend on new advertisements, crisis management, and other measures to prevent more damage.
A recent study found that customers saw data breaches as one of the top three things that can destroy for a company's reputation. See more details in the article "Survey: Customers Find Data Breaches Only Slightly Better than Oil Spills."
How Long Does It Take to Recover from a Data Breach?
There's no simple answer to this question. Six months after the data breach, Target is still reeling. In fact, according to reporting from Bloomberg News, an advisory firm has argued that shareholders should vote to oust seven of Target's 10 board members and hold them accountable for not doing more to prevent the data breach.
Because breaches are so expensive (and the costs linger), you'll see moves like this, lawsuits, and counter-lawsuits. All in all, it'll be years before the dust finally settles. We've already see one Target executive resign, but there will likely be more fallout in the future.
IT Insurance: Protection from the Costs of a Data Breach
Small business insurance offers two ways IT professionals can protect their business from data breaches…
- Cyber Liability Insurance (also called Data Breach Insurance or Cyber Risk Insurance). This pays for the response costs when a business is attacked. This insurance policy is something your clients should have to cover their data liabilities. As an IT contractor, you probably won't have to pay for the direct costs (contacting customers, call centers, etc.) of a data breach response, which means this coverage makes more sense for your clients than for you.
- IT Errors and Omissions Insurance. This coverage pays for lawsuits when clients sue you over a data breach. E & O Insurance covers your professional liabilities, which include everything from data breaches to coding errors. If you recommend software or a cloud service that leads to a data breach this insurance covers your lawsuit.
Visit our sample IT insurance quotes page to learn more about E & O coverage, which starts at $40 a month for IT contractors.