Data security breaches continue to increase as a source of financial, legal, and reputational risk for a wide array of businesses. Financial institutions have long been aware of the significant risks they face, and other industries are catching on quickly.
In the event of a significant breach, most states require a company to notify the affected customers, the attorney general, and the consumer reporting bureaus. A recent article in Inc. magazine counted 46 states and the District of Columbia as currently having data breach notification laws.
One result of the notices required by these laws is that watchdog groups are better able to monitor breaches. According to the Identity Theft Resource Center, a nonprofit group that tracks data security breach reports, there were 447 data security breaches reported in 2012, covering 17,317,184 individual records. However, this is not the entire picture. Breaches affecting a smaller number of customers may not be required to be reported, and are therefore not included in the publicly-available statistics. For example, under North Carolina's Identity Theft Protection Act, only breaches affecting 1,000 or more individuals must be reported to the Attorney General's office and consumer reporting bureaus.
Data security breaches can be very, very expensive. A study conducted by online risk management firm NetDiligence reported that in 2011, the average total cost to a company of a security breach was $3.7 million, with an average legal settlement cost of $2.1 million and average legal fees of $582,000. The same study indicates that 26% of data breach lawsuits were brought against companies in the financial services sector, with 20% in the health care sector and 10% in the retail sector.
What can a company do now--before a breach--to address this risk?
- Commercially Reasonable Security Measures and Policies. Companies should know the most common types of threats and take reasonable measures to prevent them. This should include technological standards and well-thought-out policies.
- Due Diligence on Third Parties. Several recent major data security breaches have arisen out of vendors who obtained customer information from another company. The vendor usually has no direct relationship with the customer, and the customers typically sue the company with which they have a relationship in addition to the vendor. Selecting third party vendors to handle your customers' information should involve a commercially reasonable due diligence process to ensure only responsible vendors are deemed eligible. Knowing the right questions to ask is key.
- Well-Drafted Contracts. Some risks of loss arising from data security can be reduced through well-drafted contracts with customers, third-party vendors or financial institutions. Most of the proposed contracts I have seen presented to companies by third party vendors are woefully inadequate to protect the company if the vendor fails to prevent a breach of the company's customer data. A lawyer who understands the issues can help a company save large amounts in litigation fees and liability in the event of a subsequent breach. This can be a case of a few hundred well-spent dollars saving potentially millions down the road.
- Cybersecurity Insurance. A number of firms now offer insurance against losses arising from data security breaches. I have seen this coverage available as an addition to directors and officers liability insurance coverage (a.k.a. D&O policy). Again, this is an opportunity to spend a small amount that may ultimately save a company massive amounts later.
Given the enormous losses sustained as a result of the the reported breaches, it is conceivable that recognizing the risks presented by data security breaches and addressing them before they occur may ultimately make the difference between a company's survival and failure.
This post is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this post without obtaining the advice of an attorney. If you have questions concerning this post, please contact Matthew A. Cordell at firstname.lastname@example.org or 252.672.5418.