The Cost of a Data Breach

It’s no secret that data breaches are a major concern in every business and industry. There were 678 data breaches reported in 2012 that impacted over 27.4 million records. The average cost of a data breach as of 2011 is $5.5 million dollars (infosecisland.com). This number is down from the previous year, but it is still a very expensive risk. The cost of a breach is determined by a few factors and can easily get well above that average number.

A malicious attack (hacking, stealing, etc) can cost up to 25% more than a non-malicious attack. However, most data breaches occur due to the negligence from within the organization. This includes, the loss of a mobile device (cell phone, external hard drive), unsecured storage of retired computers, hard drives, and other data bearing devices. Here are a few examples of some recent data breaches that are a product of improper disposal and lost media devices.

Walgreen Co.
Deerfield, Illinois
Released: December 2012

Walgreens was ordered to pay $16.57M settlement for California environmental violations. The lawsuit was filed against the pharmaceutical company in June 2012 in Alameda County for illegal waste disposal and improper handling of confidential medical information. It claimed more than 600 Walgreens stores statewide unlawfully handled and disposed of various hazardous waste and materials for more than six years. The settlement also resolves allegations that Walgreens unlawfully disposed of customer records containing confidential medical information risking confidentiality. Because of the judgment, Walgreens must have more stringent waste disposal procedures and regulation. Additionally, the company is required to take proper steps to ensure confidentially of pharmacy customer information.

TD Bank, N.A.
Cherry Hill, New Jersey
Reported: October 12, 2012

TD Bank said it lost unencrypted backup tapes in March 2012 that contain the account information, social security numbers, birth dates and driver’s license numbers of as many as 267,000 customers nationwide and more than 73,000 in Massachusetts.

King Drug & Home Care
Owensboro, Kentucky
Released: January 2013

An employee reported that a portable hard drive was missing on November 23, 2010. The device had last been seen sometime around November 19. The data on the device included information from before July 31, 2009. Client names, Social Security numbers, medical record numbers, account numbers, dates of service, race, insurance carriers and insurance numbers, addresses, phone numbers, sex, dates of birth, diagnosis information, allergies, initial referral forms, patient assessments/plans of care, physician orders and/or delivery ticket information may have been on the hard drive. Approximately 13,619 records impacted.

Sources: San Jose Mercury News, PrivacyRights.org, Boston Business journal

There are also other aspects you need to consider, the indirect costs of a data breach such as loss of current or future business/customers and more importantly damage to your brand and reputation. It is vital that the proper steps be taken across the board to ensure that your organizations sensitive data is protected. This is where a good risk management strategy and decommissioning policy will come in handy. You must set guidelines for passwords, email access, best practices for mobile devices, and storage/security of devices as well as hardware.