If your organization handles sensitive or confidential data, it’s vital to ensure you’re meeting all relevant compliance requirements. That’s indisputable wisdom, not only because it means staying on the right side of the law and regulations, but also because it vastly increases the likelihood of avoiding fines and other direct and indirect costs imposed when security breaches occur.
According to the 2016 Ponemon Cost of Data Breach Study, the average cost of a data breach is $4 million. The study also reports that the average cost incurred for each lost or stolen record containing sensitive and confidential information was $158.
Although regulations and potential civil liabilities vary by country, state, and industry, in general, breaches of any kind of data that personally identify individuals (known as PII for “personally identifiable information”), or that is legally or contractually recognized as sensitive, private, or confidential, can lead to fines and penalties.
Consider just one example from the financial industry. The Payment Card Industry Data Security Standards apply to every merchant who accepts credit or debit cards. A non-compliant merchant can face fines as high as $100,000 per month.
Merchants can also face time-consuming and expensive audits, and must publicly disclose breaches, both to the public at large and to card holders who may have been affected. Other potential costs include those for making such notifications, for providing affected cardholders with identity theft insurance, and for paying legal settlements. That’s in addition to the potential loss of business and reputation damage that typically occur when breaches are announced.
HIPAA Compliance Can Be Deadly Serious
In the healthcare industry, failure to comply with information security regulations under the Health Insurance Portability and Accountability Act, or HIPAA, can climb as high as $50,000 per violation (or per health record involved). Violators may also be subject to criminal charges that can result in jail time.
Breaches of health systems’ networks, exposing patients’ private health and financial information to hackers, are depressingly common: The U.S. Department of Health and Health Human Services (HHS) has dished out “corrective actions,” which typically include fines and other mandates, more than 24,000 times since 2003.
To cite just two recent examples: In December, California’s Cottage Health System admitted that as many as 11,000 people may have been affected by a breach of just a single server. And Lahey Hospital and Medical Center in Massachusetts paid a fine of $850,000 after an HHS investigation revealed “widespread non-compliance with HIPAA rules.”
As in the payment card industry, healthcare providers face lengthy and costly audits when non-compliance is reported to, or suspected by, regulators. Lahey, for example, was under investigation for four years after acknowledging a violation in 2011. And while large health systems are at greatest risk, HHS has made clear it takes seriously all potential violations, and has investigated and issued sanctions against medical providers of all sizes.
The Costs Pile Up
Aside from fines or penalties, organizations are subject to other damages, too. Some of these can be difficult to measure, or may take years to be fully felt and counted.
For three weeks in the fall of 2013, Target’s point of sale terminals were compromised. As many as 70 million customers had their credit card data stolen. Within weeks, Target’s sales were falling off. Fourth-quarter 2014 revenue decreased by 2.5 percent.
Obviously, reputation matters greatly, and can be hard to restore once damaged. Target learned this the hard way. YouGov’s 2013 BrandIndex rankings showed Target dropping sharply just after the announcement of the data breach:
But Target is hardly alone. Think back to other high-profile/high-cost breaches: the retailer TJ Maxx ($162 million), the healthcare firm Anthem (more than $100 million), Sony Pictures ($100 million), Home Depot ($56 million), and more. While you may still do business with these firms you may also wonder if they are protecting your personal information as they should be. Such reservations can stop customers from engaging with a brand in a more meaningful way, such as opting in for updates or promotions that require customers to share personal information.
Data breaches today are common – but they’re not inevitable, and the costs of compliance failure can be extreme. For a deeper conversation about what you need to do to secure your digital assets, reach out.