Set the record straight: How safe is your data?

by emily_smibert | February 17, 2017 12:00 am

[1]

By David J. Sexton

The list of large corporations that have fallen victim to cyber attacks continues to grow. Likewise, the magnitude of the crimes committed continues to escalate. A research report from Ponemon Institute and IBM indicates the average total cost of a data breach in Canada is $5.32 million and the average cost per compromised record is $250.

Now, I have a sense of what most readers are probably thinking at this point: “The only organizations getting breached are worth billions of dollars and have just as many records! It would never cost my business that much and we’d never be targeted by a hacker in the first place.”

Unfortunately, that’s not the case. Sophisticated hacking techniques aren’t the only method to qualify as a true ‘data breach.’ Any event where personal or confidential information is lost or stolen can fit the definition.  Data breach can include human error, which is not limited to the mistreatment of electronic data. If paper files are stolen containing sensitive information, that also constitutes a data breach.

If you’re in business, you’re exposed to data. If you’re exposed to data, you’re at risk for it to be stolen or lost. In order to properly protect your business, the cost of that risk needs to be addressed. To do so, here are six questions to consider that will influence four areas of costs specific to a data breach.

Question one: How many records were exposed?
This all depends on the size of your business and the type of breach that occurred, but it will be the primary driver of the costs.

For simplicity’s sake, let’s say the average jeweller makes sales to five new customers a day over a five-year period. That would amount to 9125 records, potentially resulting in more than $2 million in damages if the cost per compromised record was consistent with the $250 average. Your business would also be responsible for those five years’ worth of employees, contractors, and other business relationship records.

[2]

Question two: What type of data was exposed?
Data can be broken down into three categories: ‘PHI,’ ‘PCI,’ and ‘PII.’ PHI stands for ‘personal health information,’ so this category has little risk in the jewellery industry. However, you still need to be mindful of employee data falling under this category.

PCI stands for ‘payment card information.’ The Payment Card Industry Security Standard Council (PCI) created the PCI Data Security Standard to securely manage data involved in financial transactions. However, since businesses run on the cash they bring in from their customers, many organizations these days are concerned with more than just a place to charge the bill. They want to know their customers more intimately, so they become loyal and make repeat purchases. This is where PII comes in.

Personal identifiable information includes elements of PCI, such as credit card information, but it also includes much more, such as name, e-mail, bank account details, etc. PII breaches are the most costly because they reveal so much and are able to connect an individual to data points, such as credit card numbers.

Question three: Was this the first breach at your organization?
If you have had a data breach in the past, the fines and penalties associated with subsequent breaches may rise and create additional costs. The punitive damages are aimed at encouraging organizations to bolster their data security practices to avoid having a breach occur again.

[3]

Question four: Did you store your data in a centralized system or location?
Storing your data in a centralized location is not just a good business management practice, but it will also save you time and money in the event of a data breach. Data stored in multiple places makes it more difficult to determine the source and scope of the breach.

Question five: Do you suspect fraudulent activity?
Any suspicion of fraudulent activity regarding improper use of your data eventually leads to higher costs for your business, as more legal action will be required. Additional investigation may also be needed to determine the motive behind the fraud and what the criminals were trying to do—or could have done—with the data.

[4]

Question six: Could a class action lawsuit to be filed?
Assuming all your data has been compromised, a class action lawsuit seems likely. In the event one is filed, it has the potential to be the most costly part of the breach. In this situation, it’s not unreasonable to believe your business will be found liable.

The overall costs of a data breach can fluctuate dramatically depending on how you answered the previous questions. In general, these four costs will give you an estimate of the total outcome.

Cost one: Incident investigation
Remediating your security and being compliant with the electronic discovery process can create the bulk of these costs, but you’ll also be liable for a forensic investigation. It’s important to note, detection costs are the largest component of data breach costs overall. They make up $91 of the $250 per record.¹

Cost two: Crisis management and customer notification
You’ll need to notify your customers of the breach and also monitor their credit and ID. Additionally, to protect your brand, it’s strongly recommended you increase your public relations and client care efforts, including staffing your customer service centre, responding to e-mail inquiries, and analyzing how your future marketing strategies will manage this negative incident.

Cost three: Regulatory fines and penalties
Punitive damages vary based on the circumstances of your breach, but either way, you will possibly be held liable in some way. Remember, if your business has been breached in the past, these fines and penalties could escalate significantly.

Cost four: Legal defence²
Has defending a lawsuit ever been seen as affordable? While a good lawyer is important to have in these situations, it’s critical to remember this won’t just be a flat fee whether you’ve had 100 or 100,000 records compromised. The cost of the defense will rise as the number of breached records does, since it will require more resources to defend the extra records.

Protecting your business starts here
As technology changes every day, your data management practices alone may not be enough to keep your business out of harm’s way from a cyber attack. Check with your jewellery insurance provider to find out how an insurance policy does more than offer protection against these risks. 

¹ See the 2015 Cost of Data Breach Study: Canada, Ponemon Institute Research Report.
² Legal defence not available with Jewelers Mutual’s data breach and cyber- related coverage in Canada.

David J. Sexton, CPCU, is vice-president of loss prevention consulting at Jewelers Mutual Insurance Co., in the United States. A graduate of the University of Wisconsin, Sexton serves on the Underwriters’ Laboratories’ (UL) Security Systems Council, where he is a corporate member of the insurance category. He also sits on the board of directors for Jewellers Vigilance Canada (JVC), and worked on the Central Station Alarm Association’s (CSAA’s) Insurance Liaison Committee that assisted in the development of the UL burglar alarm modular certificate program and revised UL standard. Comments and questions can be sent to lossprevention@jminsure.com[5].

For resources regarding safety and security when carrying or working with jewellery, visit JewelersMutual.com. Jewelers Mutual Insurance Co., is the only company specializing exclusively in jewellery insurance in the United States and Canada. It is licensed in all 50 states and Canada.

Source URL: https://www.jewellerybusiness.com/features/set-the-record-straight-how-safe-is-your-data/

---