TOP REASONS YOU NEED
TO ENCRYPT YOUR DATA
Lost or Stolen Devices
There are a lot of ways these devices can disappear: accidental loss, malicious employees, lack of tracking, etc. According to hhs.gov, since September 2009, there have been 646 breaches impacting 500 or more individuals. More than half of the incidents involved lost or stolen unencrypted devices.
The headlines are out there:
- Four McLean Hospital backup data tapes go missing, thousands affected - four unencrypted backup data tapes went missing.
- UK Insurer (Royal Sun Alliance) loses portable storage device from data center with sensitive customer data.
- Employee with California bank puts customer loan data at risk - An employee handled mortgage loan files stored on a removable disk drive in a manner contrary to the bank's policies and instructions
- California dentist announces theft of server containing patient information – (office burglary)
- Data at risk following burglary at Liberty Tax Service office in California - Computer towers containing the personal information were stolen during a burglary
- Advocate Medical Breach - four unencrypted computers stolen during an office burglary
You may incur many additional expenses including the cost of reissuing cards to customers
If the breach involves credit card information, the cost of reissuing cards can likely fall to you. According to a Bank Technology News article, the cost of creating and mailing a new debit card for a small community bank under $1B in assets is around $11. Larger banks have economy of scale on their side, which brings the cost down to $2.70. Reissuing credit cards ranges from $12.75 to $2.99 for the larger banks.
- On top of the $25M AT &T settlement, the company was ordered to:
- Develop and implement a comprehensive compliance plan
- Conduct a privacy risk assessment
- Implement an information security program
- Prepare a compliance manual
- Provide employees with regular training on privacy law and the company's privacy policies
- Appoint a senior compliance manager who is privacy certified
- Notify all affected customers and provide them with free credit monitoring services
- Target Corp. agreed to reimburse thousands of financial institutions as much as $67 million for costs incurred from a massive 2013 data breach
You could face potential lawsuits by individual customers in the event of a breach
A breach of personal information can be very damaging to customers. Suits can range from large class action to individual breach victims. Plaintiffs can seek damages for damage to credit, costs of credit and/or identity theft monitoring, costs of card replacement, risk of future harm, emotional distress, fraudulent purchases, and more. Example:
- A law firm has initiated a class action lawsuit against Home Depot for the exposure of 56 Million debit and credit card numbers. According to a New York Times interview with former security employees of the company, Home Depot security allegedly relied on outdated software to secure its systems.
You may incur the costs of a forensic investigation conducted by an independent agency
Determining how the breach occurred, who was responsible, and what technology, electronic systems, and processes were involved will require analysis. Depending upon your industry, or simply for the reassurance of your customers, you may be required to secure these services from independent agencies. Most regulatory bodies will require a full justification of how the breach occurred and what actions were taken to remedy the situation. This can be quite costly, particularly to a small business. Example:
- Homebridge retained a data forensics and cybersecurity firm to assist in investigating the incident after valuable human resource records were accessed and used to file fraudulent tax returns.
- HITRUST, a data security organization, paid for an independent security assessment program for associates of five insurance plans and pharmacy chains after their systems were hacked expositing 111 health records.
Small businesses are potential targets
Small business typically do not have the resources of large companies or dedicated professionals to handle network issues and subsequently fall prey to hackers, cyber attacks and other data breaches.
- Business News Daily reports “ that small businesses fall into hackers' cybersecurity ‘sweet spot’. They have more digital assets to target than an individual consumer has, but less security than a larger enterprise.”
- Symantec’s Internet Security Threat Report 2013 reports that In 2012, 50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees.
- The National Small Business Association Technology Report indicates that in 2013, 44% of small businesses reported having been attacked with an average cost of $8,700.
You can experience damage to your business reputation
A breach does not just damage large businesses with known brands. Small firms, doctor and dental offices, and corner markets equally can experience reputation and brand damage due to data loss or breach.
The Ponemon Institute conducted a survey of nearly 850 executives, found that the average time it takes to restore an organization's reputation is one year. Do you have a year to devote to recovering from damage to your reputation? Wouldn’t it be much easier just to encrypt your data?
A research study commissioned by Semafone® indicates that the majority of people surveyed would not do business with a company that had failed to protect its customers’ credit card data. 86.55% of 2,000 respondents stated that they were “not at all likely” or “not very likely” to do business with an organization that had suffered a data breach involving credit or debit card details.
AND THE #1 REASON...
$ $$ Fines and Penalties – Need we say more?
Pay now or pay later. Encryption is far less expensive than a data breach. The list of businesses and organizations that have had to pay fines and penalties due to a data breach is becoming endless and the fines are staggering.
Here are just a few:
- Target: the firm's latest earnings report indicates that the net expense of the breach stands at $162 million. The actual total has now reached a gross expense of $191 million.
- AT & T: $25 Million
- Anthem: $1.7 Million
Healthcare faces the greatest penalties here are some from the hhs.gov website:
- Parkview Health System, Inc. (Parkview) will pay $800,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.
- New York and Presbyterian Hospital (NYP) has agreed to pay OCR $3.3Mil to settle potential HIPAA violations
- Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) for violations
- Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ, has agreed to pay the U.S. Department of Health and Human Services a $100,000 settlement