Question two: What type of data was exposed?
Data can be broken down into three categories: ‘PHI,’ ‘PCI,’ and ‘PII.’ PHI stands for ‘personal health information,’ so this category has little risk in the jewellery industry. However, you still need to be mindful of employee data falling under this category.
PCI stands for ‘payment card information.’ The Payment Card Industry Security Standard Council (PCI) created the PCI Data Security Standard to securely manage data involved in financial transactions. However, since businesses run on the cash they bring in from their customers, many organizations these days are concerned with more than just a place to charge the bill. They want to know their customers more intimately, so they become loyal and make repeat purchases. This is where PII comes in.
Personal identifiable information includes elements of PCI, such as credit card information, but it also includes much more, such as name, e-mail, bank account details, etc. PII breaches are the most costly because they reveal so much and are able to connect an individual to data points, such as credit card numbers.
Question three: Was this the first breach at your organization?
If you have had a data breach in the past, the fines and penalties associated with subsequent breaches may rise and create additional costs. The punitive damages are aimed at encouraging organizations to bolster their data security practices to avoid having a breach occur again.
Question four: Did you store your data in a centralized system or location?
Storing your data in a centralized location is not just a good business management practice, but it will also save you time and money in the event of a data breach. Data stored in multiple places makes it more difficult to determine the source and scope of the breach.
Question five: Do you suspect fraudulent activity?
Any suspicion of fraudulent activity regarding improper use of your data eventually leads to higher costs for your business, as more legal action will be required. Additional investigation may also be needed to determine the motive behind the fraud and what the criminals were trying to do—or could have done—with the data.
Question six: Could a class action lawsuit to be filed?
Assuming all your data has been compromised, a class action lawsuit seems likely. In the event one is filed, it has the potential to be the most costly part of the breach. In this situation, it’s not unreasonable to believe your business will be found liable.
The overall costs of a data breach can fluctuate dramatically depending on how you answered the previous questions. In general, these four costs will give you an estimate of the total outcome.
