Most organizations promise to care for their customers, patients and partners; however, evidence suggests otherwise when it comes to the unauthorized disclosure of confidential information.
Businesses in all industries that aggregate and maintain third-party data are particular targets of information theft and network security breaches. In the health care industry, where patient data is regularly transferred among multiple organizations, mitigating the risk of data loss and an organization's cyber liability is paramount.
For a long time, the government looked the other way despite banking and health care-related privacy-protection laws. Recently, however, government has stepped up enforcement. Earlier this year, the U.S. Department of Health and Human Services imposed its first medical-privacy fine under the Health Insurance Portability and Accountability Act (HIPAA) when it hit Providence Health & Services, a Seattle-based not-for-profit health system, with its maximum penalty of $100,000 for losing unencrypted patient records five times between 2005 and 2006.
They are not alone.
Since 2005, the Privacy Rights Clearinghouse, a consumer awareness nonprofit, has logged information-security breaches that have turned 244 million people into potential victims of identity theft. This hall of shame includes every industry from financial services and technology to manufacturing and health care. It also includes public-sector organizations from charities and educational institutions to every level of local, state and federal government. Most worrisome, last month Newsweek reported on a leaked report from the Government Accountability Office that found branches manning the front lines against cyber attack, such as the military and Homeland Security, still do not "exhibit attributes essential to having a truly national capability."
Unfortunately, more trouble is on the way for businesses. Information theft has become more profitable, more pervasive and more sophisticated than ever. Lone wolves making solitary probes have given way to criminal gangs and politicized mobs that systematically scan the globe. As a result, legions of hackers, criminals and spies attack computer systems all over the world looking for weaknesses that allow them to steal data or create "zombies" that expand their wealth and power. In response to this cyber storm, larger companies have hardened their defenses, leading criminals increasingly to target the more vulnerable.
Health care seems to be a particularly vulnerable industry group.
"Health care organizations store a lot of valuable personal, identifiable information such as Social Security numbers, names, addresses, age, in addition to banking and credit-card information," said Don Jackson, researcher at Atlanta-based security services firm SecureWorks. SecureWorks has recorded an 85 percent increase in the number of attempted attacks directed toward its health care clientele by Internet hackers, with these attempts jumping from 11,146 per health care client per day in the first half of 2007 to an average of 20,630 per day in the last half of last year through January of this year.
The most vulnerable, however, are small- to medium-sized businesses and home computers. Their machines lack specialized defenses or dedicated security personnel. Hence, they do not remain intact for long. The SANS Internet Security Center has found that on average, an unprotected computer is penetrated within an hour of being connected to the Internet. Even well-defended computers are routinely compromised via Web site scripting, "free software," e-mail attachments, P2P sharing, wireless networks and "social-engineering" (artful impersonation).
So what's to be done?
Organizations large and small must recognize that the game has changed fundamentally. Any breach of confidential information will produce enormous costs and liabilities as well as fines and customer churn. Thus, organizations need to review policies and practices to strengthen information security and eliminate any chance of inadvertent error or exposure. Finally, since no defense is perfect, prudence dictates that firms minimize the public-relation and financial fallout of a breach by developing crisis-management plans and buying specialized insurance.
The cost of security breaches
Security breaches are costly because they produce business interruptions, require forensic discovery, lead to substantial remedies and often result in lost secrets or tarnished reputations. However, the cost of a breach has grown exponentially over the past few years for two reasons.
First, federal regulations now hold directors and officers personally accountable for breaches of medical or financial privacy, leading to fines and lawsuits. Second, 47 states now emulate California's law that mandates that potential victims be warned when confidential information has been disclosed. The goal is to notify victims so that they might take precautions against identify theft and fraud.
As a practical matter, both federal and state laws will be triggered in the event of a breach. In addition, businesses will lose money to the seven horses of the cyber apocalypse: notification, monitoring, share-price loss, class-action lawsuits, reimbursement of banks, lost time and reputation, and -- adding insult to injury -- regulatory fines.
Notification: In most states, businesses will have to pay to notify victims, via the media, by mail, e-mail and other methods. These expenses are the smallest part of a larger category of first-response costs that will include forensic analysis and crisis-management expenses. Businesses will need to find and close breached systems. They will also have to defend themselves immediately and publicly when dragged before the bar of national opinion by regulators, media and plaintiff's counsel.
Credit-report monitoring: Increasingly, companies that breach data are either volunteering or are being ordered by courts to pay victims for credit-report monitoring from one to three years. The expense can quickly become astronomical. When individuals buy this service, it costs $10 to $30 per month. When businesses buy it in volume blocks of 100,000 licenses, it costs $32 per individual per year.
For example, the Birmingham, Ala., VA Hospital suffered a breach in February initially thought to be 48,000 records. It promised to pay for one year of credit monitoring. Later, the hospital discovered that the breach affected 1.8 million people. If all of the victims use the service, credit reporting will cost $57.6 million.
Shareholder losses: A University of Virginia study found that publicly traded companies that disclose an information breach often see an immediate share-price reduction of 5 percent to 10 percent. Although the hit eased over time, a drop of 5 percent or more typically triggers shareholder lawsuits -- an expense that continues long after the stock price has recovered. In one such action, Oxford Health Plans lost $280 million and ended up being acquired.
Class-action suits: In SEC filings, TJX, parent of TJ Maxx, Marshalls and HomeGoods, reported class-action settlements of $130 million. These payments cost shareholders 28 cents per share, or 10 times management's first estimates. Despite these outlays, the total losses will be higher. The firm has had to pay for customer notification, forensic analysis, remediation, 300 banking-related suits, security upgrades and the lifetime value of lost customers. Forrester Research estimates these losses at $1.3 billion; the Ponemon Institute puts them at $1 billion.
Credit-card reimbursement: Over the past few years, business-to-business lawsuits among banks and retailers have become one of the most expensive components of data breaches. Financial services companies have been suing to recoup the expense of re-issuing credit cards, which cost $10 to $25 per card. For example, in 2005, BJ's Wholesale Club, big-box retailer, said in its SEC filings that it had paid $25 million to 22 banks that canceled and re-issued credit cards. Similarly, the recent breach at TJX led 300 banks to cancel and reissue credit cards.
Other costs: The largest costs are the most difficult to calculate: lost business, lost opportunities, defection of customers, damage to a brand, lost management time, lost strategic focus, tactical distraction and the implementation of costly new security infrastructure required by regulators. The Ponemon Institute conducts an annual data-breach-cost survey that shows these lost business costs contribute $128 to the average $198 cost of a lost record.
Regulatory fines: On top of it all, businesses often face fines and penalties. For example, after consumer-data broker ChoicePoint compromised 163,000 customers, the Federal Trade Commission made it pay $10 million in fines. The FTC also compelled the company to remediate its systems, costing an additional $5 million.
Changing business practices
To minimize the liability, organizations need to continually implement the best technology solutions available. At the same time, they need to update their business practices to reflect the new environment in which a disclosure of consumer information could have catastrophic implications.
By focusing on the following three areas, organizations can go a long way to protect themselves and the public:
¥ First, implement procedures that meet recognized security standards such as the international standard ISO 27002 (also known as ISO 17799). This standard underlies many others and is used by insurers to underwrite the Fortune 1000. Many insurers will pay to have this or another type of compliance audit done because companies that do not meet recognized standards cannot purchase insurance to cover information-security breaches. Other important standards include HIPAA, COBIT, PCI/DSS and the recently approved ISF standard.
¥ Second, explicitly specify in vendor contracts who is liable in the event an information breach occurs. Because many companies are in an extended value chain, it is often unclear who has ultimate responsibility if a breach occurs. With surprising regularity, vendors will convince companies to sign contracts to transfer that risk to their partners. Companies would be well served to review their vendor contracts to assess their potential exposure.
¥ Third, ensure that all of the costs of a security breach are covered by insurance. Many organizations have weak liability protection for privacy breaches and next to none for information security liabilities or the attending first-party expenses of a breach-like notification, monitoring and fines. Businesses can do better. Insurance products exist today that cover, not only legal costs, awards and settlements, but also pay for notification and remediation as well as business interruption, ransom and crime. Few insurance brokers can currently evaluate gaps in traditional programs, understand and place new policies, or help with risk evaluation, quantification or management. Do not settle for less.
Particularly for small- to mid-tier organizations, which do not have the deep pockets of the Fortune 1000, the price of inaction could have dire consequences. Egghead.com was formerly a high-flying computer retailer and Internet darling. After it reported 4 million records hacked and compromised, the company went bankrupt. It is now nothing more than road kill on the information highway.
That band is long, wide and fast. The time to act is now.
Perez-Reyes and Buchanan work for Barney & Barney LLC, a California-based company that provides a wide range of insurance and risk-management solutions.