(See the accompanying infographic HERE)
Has your company or organization ever given serious, disciplined thought about what a data breach would cost if it happened to you?
Your Chief Financial Officer can probably estimate, down to the penny, what a production line, facility, or department shutdown would cost. But what about the harder-to-quantify costs, such as loss of reputation, or employee morale? Has your business ever attempted to calculate those potential losses? Or even thought about them?
Estimating the losses a data breach will create is something only your organization, by way of a thorough and honest assessment, will be able to accurately estimate.
Here are some thought starters to help you calculate the likely costs of a data breach so you can more accurately assess your risk.
This is the most frightening part of a data breach – the inevitable loss of business. The best way to estimate its impact is to calculate potential losses at the most granular level possible, in as many ways as possible.
Reputation & Brand Damage
- How long will a data breach keep you from operating? What is your expected per-day loss?
- Will you lose contracts or customers? How many? How much? How much does each customer contribute to your revenue?
- How are each of your contracts structured? Is there an opt-out clause your customers can execute if you suffer a data breach?
Make no mistake, your brand reputation will be damaged after a data breach. How to quantify its impact to revenue will be difficult, so it might be helpful to create “Worst Case,” “Likely” and “Best Case” scenarios, each showing different levels of impact to your bottom line.
Vendors & Partners
- Will a crisis communications consultant be needed to communicate with the media? How much will that cost?
- To repair brand damage, will you need to hire a PR firm? How long will you need it?
- Will additional marketing be required to replace lost customers? Will it take longer to find new customers?
- How long with the stigma of the breach stay with your company?
Every business needs partners and vendors to help it achieve its goals, but how will yours react to the news of a data breach?
Notifications & Mailings
- Will existing partners terminate their relationship with your company?
- Will vendors require shortened payment terms, impacting your cash flow?
- Will you be able to replace existing vendors with new ones?
- Will getting credit become more difficult?
All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have laws that require private entities or government agencies to notify individuals who have been impacted by breaches that compromise their Personally Identifiable Information (PII).
Employee Morale & Recruitment
- Do you know the notification requirements and exclusions for states in which you do business?
- Does your industry require customer notifications be sent?
- Do you know the penalties you may be assessed for a data breach?
- Can you notify affected customers via email or USPS mailing?
- How many notifications will need to be mailed?
A data breach can have a significant impact on your workforce’s morale and esprit de corps, and even more concerning, that impact could be invisible to company leadership. It’s important to be transparent and honest with your associates because they’re the ones that make your company work.
Legal & Litigation
- Will short-term breach expenses force staff reductions?
- Will hiring new or replacement talent be more difficult and slower?
- Will you lose employees due to loss of credibility?
- Will a lack of communication with your employees do even more damage?
Since a data breach exposes your organization to liability, you will need additional legal counsel.
- How many data records could be breached in a worst-case scenario?
- How many breached customers will likely sue?
- Will you settle out of court? If so, what will the settlement costs be?
- Will there be class-action lawsuits?
There are many insurance considerations to assess after a data breach.
- Will your business insurance premiums go up? If so, by how much?
- Do you have cyber insurance coverage?
- Does your cyber insurance cover both first-party and third-party liabilities?
- What breach-related costs are covered? Which are not?
There are many federal cybersecurity laws that apply to businesses, whether in whole or in part, for failing to protect customer data.
Investors & Shareholders
- Do any of these regulations apply to your business:
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Federal Information Security Management Act (FISMA)
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Payment Card Industry Data Security Standards (PCI DDS)
- If you are a publicly traded company, could the SEC also fine you?
- Do you know cost-per-record fines for violated statutes?
Businesses exist to serve their customers and make money for their owners. After a breach:
- Will investors divest their ownership shares?
- Will sell-offs impact your market capitalization?
- Will acquiring new investors become much more difficult?
Security Software & Services
- Are you required to provide credit monitoring to affected customers? For how long?
- How much does credit monitoring for each customer cost?
The data breach exposed flaws in your IT environment and you will need to fix them and improve your cybersecurity to remain in business.
- After a breach, will you need to purchase and maintain additional security software?
- Will you hire internal security experts or use an outside firm?
- What will the added security costs be?
Even if you are active in professional communities, there will be damage to your credibility.
- Will you still be invited to industry speaking opportunities?
- Will professional organizations distance themselves from your company?
- Will you still be viewed as an expert in your industry?
These 12 thoughts starters are meant to encourage deeper, more meaningful discussions about your company’s cybersecurity risk and to illuminate the potential costs you might face after a data breach. If you need an expert to help you improve your security posture, we’re here to help - just fill out the form below to have a confidential conversation with one of our security experts.
MCPc is a global data protection company that helps organizations dramatically minimize their risk of disruption from unforeseen events like data breaches. Our goal is to help every client achieve the highest degree of security and the least amount of risk their organization can afford, or what we call, SecurityCertainty.