Navigant’s “Information Security & Data Breach Report” indicates that health-care enterprises experienced the largest percentage of data breaches in the third quarter of 2012. Just as important, the Navigant study highlights the fact that no industry sector, whether it is retail, commercial, transportation or even Main Street business, is free from risk.
And this risk is growing. The study points out that the number of records breached across all corporate entities catapulted from 45,776 records in second quarter 2012 to 133,689 records in the third quarter — a staggering 192% increase. The average cost of a data breach for corporate entities also skyrocketed over the same period, from $8.8 million to $25.9 million.
Once a breach occurs, the related costs can increase drastically. Federal and state rules generally require the companies to discern the cause, nature and extent of the breach and then notify any parties who may have been affected. Other necessary actions often include monitoring victims’ credit statuses, establishing a call center to communicate with those affected and retaining the services of a public relations firm to control the reputational fallout.
These factors and findings open the door for more insightful discussions regarding IT budget allocations for data breach prevention and incident response. At an insurance industry conference in November 2012, hosted by the Professional Liability Underwriting Society, a panel comprised of various industry experts was asked how much of an IT budget should be spent to defend against a data breach or privacy loss. The responses varied from 3% to 7%. Based on the growing vulnerability of all industry segments, this budgeted allocation is likely insufficient for many companies.
A look at the cost of notification and monitoring alone gives a good sense of why more resources may be needed. For example, if a company is required to notify 5,000 employees whose names and social security information are stolen, and provide 10% of these employees with monitoring services, the costs to the company might approach $60,000.
Data breaches and privacy losses continually pop up in diverse industry surveys as the biggest worry of IT managers. Ensuring your organization has listened and responded to these concerns with an adequate budget is the first line of defense.