a data breach in the 2017 calendar year. Each of these data breaches involved the compromise of 2,500
to 100,000 records containing personal information, which cost these companies on average $148 per
compromised record. But, according the Poneman Institute, the costs per record are not all equal; costs
grow exponentially with the number of records breached. The Poneman Institute estimates that the cost
of a 1 million record breach is approximately $40 million while a breach of 50 million records is $350
million. That seems like a large bill to pay for a situation that may have arisen from an employee leaving
a laptop open in an unsecure location, a business failing to discover a vulnerability in the company’s
information technology systems or an employee clicking on a nefarious link in an email.
With costs of a breach this high, one would think that every company would have elaborate cybersecurity,
business continuity and incident response practices and procedures in place. Yet, only 55 percent of
those surveyed by the Poneman Institute had a business continuity management function or disaster
recovery team that was involved in enterprise risk and crisis management. This was to their detriment.
Prevention is truly the best medicine when it comes to data breaches.
Hackers often look for information that has value, such as an individual’s name plus his/her bank account
number, social security number or credit card number. Ensuring that your company’s practices and
procedures with regard to these types of information provide adequate protection should be the
cornerstone of your planning. However, you also need to plan for how you and your team will respond
when this valuable information is compromised.
When companies have taken the time to think through and formulate comprehensive incident response
policies, the incident response times and costs are significantly reduced. According to the Poneman
Institute study, there was a 6.5% reduction in the per capita cost of a data breach and a 44-day reduction
in the average time to identify a data breach in companies that had business continuity
management/incident response programs in place over those that did not. This works out to be a
difference of $690,000 in the average total cost of a data breach ($4.24 million average total costs without
business continuity management/incident response programs and $3.55 million for those with such
programs) for companies that have robust practices and procedures in place.
Because there is not an overarching federal policy on data breaches, compliance can be complex. There
are certain federal rules pertaining to particular types of personal information and certain sectors of the
economy, like protected health information, which is protected under the Health Insurance Portability and
Accountability Act (“HIPAA”). There is also nonpublic personal information, which is protected under the
Gramm-Leach-Bliley Acts of 1999 (“GLBA”) and applies to financial institutions such as banks and
lending institutions. But, for the most part, general data protection laws come at state level, some even
getting down to the county and city level, and, unfortunately, these are laws are far from uniform.
Adding to the compliance difficulty is that many companies are not aware of which laws actually apply to
their given data breach. Generally speaking, most of the laws regarding notifying affected persons after
a data breach has occurred, the residency of the affected person is the determining factor in which law
applies. For example, if a Missouri resident makes a purchase from a business in California, and that
individual’s information is stolen, the California company would have to comply with Missouri laws with
regard to notifying such resident of the data breach. Additionally, since the company was doing business