Why do people buy insurance? It’s because they have conducted some sort of analysis—however simple and qualitative it might be—and determined that the downside of buying insurance is not as great as the downside of the loss that can occur from a home fire, a major illness, and automobile accident or some other calamity. In other words, most people are willing to accept a 100% certainty of spending money on insurance to avoid the very small probability that a catastrophe could wipe them out financially.
People who are quite rational in this regard—i.e., they buy home, life, auto and health insurance for themselves and their family—often tend to be less rational when it comes to business decision making. There are many decision makers who opt not to implement the processes and technologies necessary to minimize the likelihood of a data breach, leaving themselves open to the enormous costs associated with a breach of customer data, their intellectual property or something else of tremendous value.
An article published in Enterprise Systems discusses the fact that many compliance officers take calculated risks not to implement compliance protocols and tools that will minimize the potential for a data breach. Instead, they make a calculated decision that the downside of a data breach is not worth the cost of preventing one. The problem, as pointed out in the article, is that “many enterprises have not conducted risk analyses and don’t have an incident response plan, making it impossible to accurately estimate costs.”
What many decision makers have not sufficiently thought through is that there can be enormous ramifications from even a single data breach. For example, a breach can trigger notification requirements at state and federal level that can be expensive to satisfy, particularly when thousands or millions of records having been breached. Violating breach notification laws (most US states have them) can result in significant fines that could total in the millions of dollars. Many existing customers may rethink their business relationship with a company that cannot protect their data, resulting in lost revenue. Similarly, prospects may not want to do business with a company that cannot keep its digital house in order. Corporate executives will likely have to play defense with reporters and others discussing the breach. Insurance companies may charge higher premiums for cyber insurance. The list of potential ramifications goes on.
As but a few examples of major fines arising from data breaches, consider the case of South Shore Hospital that paid $750,000 in fines and other costs from a 2010 data breach,BlueCross BlueShield of Tennessee’s fine of $1.5 million for a 2009 data breach, or Welcome Financial Services’ £150,000 fine for tapes that went missing in late 2011.
To address these issues, organizations need to know with what regulations and industry best practices they should comply. They need to have policies in place that will address the management and protection of sensitive data. They need to have the technologies in place that will encrypt, archive, block and delete data as necessary according to policy. And they need to have a management culture that makes the common sense decision to implement the insurance that minimize the risk of a data breach.