Data Breach? We’ll Just Pay the Fine!

I was teaching a class in the basics of encryption and key management this last week and was reminded again of one deadly attitude that sometimes circulates in the executive ranks of some organizations.

At the beginning of a class I often take an informal poll to see how many attendees are storing sensitive data unencrypted. In this particular class, I was expecting to see about half the class raise their hands, and I wasn’t disappointed. I then asked the “why” question: What is preventing you from making progress in getting your sensitive data encrypted? I know that there is still a strong perception that encryption and key management are difficult and expensive (they aren’t), and I know how hard it is to educate senior management.

But it’s always a bit surprising to hear someone say “Our management says they will just pay the fine for a data breach.”

I thought about it a moment, then shared with the class that I’ve had that same exact attitude about parking tickets. In any large city you can experience the nearly impossible task of finding a parking space. In frustration, I’ve parked illegally and just paid the fine. So, I know where this attitude comes from.

But, a data breach is not like a parking ticket.

For the class I started to tick off the types of costs associated with a data breach:

• Yes, there is a fine. And yes, most organizations can pay the fine. But the fine is sometimes a small part of the total cost. Most recent numbers show a data breach costs an organization on average $5.5 million.
• If credit card information was lost, you may see an increase in your fee structure. That’s going to hurt if you do a big percentage of your business through credit card transactions.
• You are likely going to be required in the settlement process to agree to on-site audits by an external security auditing company for a number of years. That’s going to be really expensive.
• The data breach may impact bottom line through list customers. When customers no longer trust a company to protect them from fraud, they go elsewhere. Sometimes they only have to point their browser somewhere else. Lost profits can really hurt.
• There may be significant costs associated with the forensics that must be done to identify individuals impacted by the lost data. I know of one company that spent $17 million on the forensics before they even got around to paying the fine.
• You will likely be required to purchase credit monitoring services for everyone whose information was compromised. That may be for just a year, or it may be longer.
• There are often litigation costs. If your data breach caused banks to have to re-issue cards, you can bet they are going to want to recover that cost from you.
• Your IT management and technical team will probably lose a year of productive time dealing with the breach. This cost may seem intangible, but it is real. Think of the impact on your company if you can’t make any progress on your strategic plans. The opportunity cost can be huge.
• Lastly, careers are often damaged or ended by a data breach. Especially if the original attitude was “We’ll just pay the fine.” In retrospect, that attitude is going to look like negligence. And people get burned out dealing with the stress of mitigating their systems under pressure. So, add personnel costs to the list.

At the end of this discussion there were people in the room just shaking their heads in agreement. They had been through it and knew exactly what it was like.

The next time you hear someone say they will just pay the fine, hand them this blog. I am pretty sure they are underestimating the impact of a data breach.  Download our White Paper "AES Encryption Strategies: A White Paper for the IT Executive" to learn more identifying key issues in data security, how to choose the right data security partner, and how to develop a strategy that insures some early success.

Patrick