There were over 3,000 reported data breaches in 2015, affecting over 370 million records. That includes 3 major incidents involving over 10 million records each in Q3 alone. That’s a 29% uptick in reported breaches over 2014.1
The damage a cyberbreach can cause a company is starting to sink in, especially as large breaches continue to make headlines. Among companies hit by a cyberbreach, 76% say it’s equal to or greater than a natural disaster or fire in terms of disruption, according to a survey by the Ponemon Institute, an independent privacy and information security organization.2
Even a single breach can disrupt business and shatter a company’s reputation. According to CheckPoint Software Technologies’ President Shahar Tal, the average data breach experienced by its customers takes 46 days to resolve and costs $21,155 per day in IT costs, totaling some $973,130 per breach.3 Many companies have spent over the average cost of $3.8M rebuilding their brand and reestablishing goodwill after a data breach.4
The potential costs of a breach include not only remediation, notification, and credit monitoring, but also lost business, legal fees and harm to reputation and goodwill. Think about the Sony Pictures breach in 2014—it didn’t even break the top thirty breaches in terms of number of records affected in a breach that year. But the breach and data dump (in which Sony employee information and trade secrets were leaked) clearly hurt Sony’s reputation immeasurably.5
Or, consider the Target breach of 2013, which was publicly disclosed in the midst of the holiday sales season, just a week before Christmas. Target reported sales down 6.6% in that same quarter, and profits down 46% from the year-before quarter to $520 million. 6 But while Target has provided no public estimate of lost profits due to the breach, its 2013 earnings-per-share (EPS) was $3.07–almost 13% shy of the $3.52 expected in its Q3 2013 report (or a $285M shortfall total).7 Even subtracting Target’s $17M in direct, unreimbursed expenses due to the breach in Q4 2013, it is safe to say that the retailer likely lost many tens, if not as much as a few hundred million dollars in sales profits due to the breach — in Q4 2013 alone!
In light of the potential costs of a breach — including attorneys fees — it makes sense to hire expert counsel to help prevent such incidents as well as to deal with them when they happen. And legal advisors like us, who are with you all the way, are best-positioned to help you respond if and when an incident does occur. With us, there is little or no learning curve, since we are already familiar with your systems and operations.
Beyond the obvious costs of a breach, companies need to be aware of the rising tide of punitive legal risks of breach. These include regulatory penalties for privacy violations, penalties for negligent information security practices, and penalties for failure to meet specific requirements or benchmarks. Such fines and penalties can be statutory (such as under U.S. state data breach notification laws) or the result of enforcement actions under broad mandates (such as FTC’s Section 5 “unfair or deceptive practice” authority, HIPAA, SOX or FCRA; or in Europe, the EU Data Protection Directive), or even result from private industry self-regulatory regimes (like PCI-DSS). As the law covering privacy and data breach grows, so too will the legal risks of breach. We help you get a handle on these risks like no one else.
You were smart to buy insurance, which helps mitigate the costs of a breach. But does your policy cover loss of business, reputation, goodwill, and customers? In fact, such hard-to-price (but undeniably important) types of damages are not covered under “cyber insurance” policies. Most cyber insurance policies do cover the direct expenses associated with the breach, such as IT forensics, notifying persons impacted by the breach, and providing identity theft monitoring; but does your policy cover secondary expenses incurred in dealing with the fallout, like class action legal defense costs? The answer, surprisingly, is often “no” — if you get sued after a breach, you may be on your own, left to hire attorneys at a high hourly rate. And even if these expenses are covered, they are likely to be limited by a coverage ceiling.
Take the Target data breach of 2013 for example, once again. This mega-breach, which affected some 70 million customer records, was revealed by Target to have cost it $252M in direct expenditures over 2013 and 2014. However, only $90M was reimbursed by insurance during that period, leaving Target with $162M in outright expenses — a coverage ratio of only about 36%.8 And this doesn’t account at all for past and future litigation costs over the incident from banks, payment card networks and consumers, including potential settlements (amounts Target set aside for payment card companies in 2013 and 2014 were only for covering PC companies’ direct expenses in dealing with the breach, not their losses due to eventual card fraud). Nor does it account for the (likely sizeable) indirect costs in terms of business losses mentioned above. Indeed, Target has reported that the 2013 breach may end up costing it over $1B in total.9 So, while insurance undoubtedly helps, it is clearly not a “cure-all”.
According to Harris Tsangaris of insurance brokerage NFP Property & Casualty, premiums averaged about $2,500 per year in 2015, but they can be as high as $10,000 per month depending on the company.10 But it gets worse: after the wave of high-profile breaches in 2014 and 2015, cyber insurance costs are set to skyrocket.11 Cybersecurity is the fastest growing, and fastest changing, part of the insurance industry. Going forward, companies can expect sharply rising premiums—to as much as double or triple the 2015 levels—and deductibles, and for coverage limits to come down. Qualitatively, insurers are becoming strict and selective in their underwriting. Now, to obtain coverage and lower premiums, companies must demonstrate specific steps they have taken to minimize their vulnerabilities and mitigate threats, including data loss prevention and incident response plans.
In the modern marketplace, you need knowledgeable attorneys working with you proactively, every step of the way; not only helping to shape your infosec policies, but also providing assurance to all stakeholders — including insurers — that confidentiality and security are priorities, and that you’ve diligently prepared for the worst. We can also help you negotiate with insurers to ensure you obtain the most suitable coverage.
We’ve done it all. We’ve handled privacy and information security on the government side, the private side, the legal side, and the business side. We’ve written and rewritten the book on data breaches, and we know the relevant technicals inside and out — because we’ve worked with them not only as lawyers but also as technicians. So we are comfortable in private advisory contexts as well as government reporting and liaising (we can serve as the liaison with the FBI, DHS, the Secret Service, the FTC or any other government agency); further, we can work not only with the purely legal aspects of information security law, but also the technical aspects crucial to understanding how compliance and risk management are implemented.
Data breaches are a concern for any modern organization. So we don’t discriminate. We’ve helped retailers, insurers, drug and medical device manufacturers, healthcare providers, energy companies, nonprofits, and banks and financial services firms, large and small. If your organization is looking for highly-skilled yet affordable legal attention to your privacy and breach needs, we’re the firm for you.
We provide “end-to-end” tech-savvy legal counseling for information security, all delivered for a flat fee. Our emphasis is on risk assessment, preparation, prevention and compliance — but if a breach nevertheless occurs, we will provide attorney incident response work that fully covers all non-litigation aspects (such as investigation coordination, notification, and engaging identity theft prevention services) and provides partial coverage for litigation. Knowing that you have a data breach law firm in your corner from the outset and that the essentials are covered provides you with peace of mind. In contrast, hiring an outside firm when an incident happens could cost you $50,000-$100,000 or more and comes with the extra expense and anxiety of dealing with people who aren’t as familiar with your organization or your current information security picture. Because we’ll be working with you before a breach, we’ll already be familiar with you, and you with our firm, allowing for a more efficient and effective response if something does happen.
On the front-end, we work with you to assess & refine the cybersecurity posture of your business, including:
If an incident occurs, we will be ready to swing into action, with:
And you can rest assured that through all of the above we maintain privilege shield-protected attorney-client communications — safeguarded with our secure cloud-based digital platform — giving you maximum confidence that your sensitive information security and legal deliberations will be protected from breaches, as well as presumptively protected from disclosure to courtroom opponents.
We tailor our services and flat-fee pricing to your situation. Extra services come at a discounted hourly rate — a luxury we can afford because of our unique business model.
Other firms — even those lacking our level of expertise — tend to overcharge, effectively billing you for lavish overhead, background research, and “learning time.” Through our flat-fee service, we’ve “flipped the script,” so we can meaningfully inform your information security program and ensure that privacy safeguards are “baked into” your business. No more agonizing over whether it’s worth picking up the phone to get the lawyers involved when it comes to your data security. At the end of the day, this arrangement provides the most value, and it best aligns our interests as attorney-advisors with your interests.
Copyright © 2019 | MH Purity lite WordPress Theme by MH Themes