How much do data breaches cost? That's the million-dollar question – literally. And to answer it, we'll look at two recent data breaches:
- Home Depot: 56 million stolen credit and debit cards.
- University of Massachusetts Medical Center: 2,400 compromised medical records.
Though these breaches took place at large organizations, their lessons apply to small businesses and IT contractors.
We'll go over each breach in detail below, but first, we should talk about Data Breach Insurance (also called Cyber Liability Insurance). This policy pays for the cost to respond to breaches, contact customers, and investigate a breach.
Should IT contractors have Data Breach Insurance? Actually, it's usually not necessary for you. It's more important that your clients have this coverage. Data Breach Insurance is meant to cover businesses that have private data on their networks. Usually, IT professionals don't have this kind of data, but their clients do.
Let's look at how Home Depot's insurance saved it from millions in data breach costs.
What Home Depot Got Right, What It Got Wrong, and How It Was Lucky
As Advisen reports, Home Depot is just beginning the long process of responding to its data breach. Its payment systems have been upgraded, but dozens of lawsuits still hang over the retail giant. Here's the company's situation:
- The good. Home Depot has a $100 million Cyber Insurance policy, so many of its costs will be covered. When Sony was hacked in 2011, it didn't have Cyber Liability Insurance. It only carried a General Liability Insurance policy, which meant that its $2 billion in data breach costs weren't covered. Ouch.
- The bad. Home Depot is currently facing 44 different lawsuits. The company's point-of-sale software didn't scramble payment information, which allowed hackers to steal plain-text credit card numbers. The company could be found negligent for this oversight. With impending lawsuits (and more sure to come), its legal costs and data breach expenses will continue to increase over the coming months.
- The lucky. Unlike other retailers, Home Depot's data breach came at a somewhat fortunate time. The US housing market picked up significantly in Q3, which caused contractors and homeowners to spend more money on home improvements. This windfall helped Home Depot weather the losses created by the data breach. (Read more about it in the post, “Is Data Breach Fatigue Good for Tech Businesses?”)
Home Depot's data breach highlights the importance of Cyber Liability Insurance for small businesses – and how luck can play an important factor in surviving a data breach. Smaller businesses don't have the market presence of Home Depot, so customer trust is much more fragile.
Medical Data Breach Cost Estimate: $3,000 per Lost Record
HealthITOutcomes reports that UMass Medical Center informed 2,400 patients that their private health data might have been compromised. Unfortunately, that was just the beginning of the hospital's data breach issues.
One patient, Robert Jackson, has sued the hospital over the breach. Even though there's no evidence his identity was actually stolen, his lawyers are pursuing significant damages. The hospital offered free credit monitoring, but the plaintiff and his lawyers turned this down. They are seeking class-action lawsuit status and looking for $3,000 in damages for each person whose data was lost and additional credit monitoring and security services. The total lawsuit costs could exceed $10 million.
One of the reasons data breaches can be expensive is the number of lawsuits that follow. Any customer or patient whose data was lost can file a lawsuit. Multiple lawsuits can combine into what is called a class-action lawsuit – one of the most expensive types of lawsuit.
Data Breach Costs: What Are the Risks for IT Consultants and their Clients?
There are two lessons to learn from these recent data breaches:
- Data breaches (and the subsequent lawsuits) are really expensive.
- Data Breach Insurance can help your clients pay for the cost of a data breach.
If your clients aren't prepared for the high cost of a data breach, they could sue you in order to recover some of their losses. You'll need to make sure your clients invest in Cyber Liability Insurance as well as robust IT solutions.
IT consultants should also be prudent and protect their own business against possible lawsuits. Say you installed point-of-sale software like the programs that were on Home Depot's registers. The software stored transactional data in insecure formats. Though you didn't design the software, you could be sued because IT consultants are liable for the third-party software they recommend for clients.
How do you cover your lawsuit risk? Don't underestimate the cost of a data breach and make sure your business has Errors and Omissions / Professional Liability Insurance to cover IT lawsuits.