A recent Wall Street Journal Article discussed why a California company, Impairment Resources LLC, has filed for Chapter 7 relief under the US Bankruptcy Code due to data breach.

The breach was a result of thieves breaking in and stealing computer hard drives that had medical information of about 14,000 individuals.   The financial impact was so great that the company could not stay in business. 

But how great could this impact really be?  The article does not discuss that question however; we are going to look at here.  There is valuable insight you can gain which will help you better ascertain the financial impact on your business or organization.

When it comes to looking at the cost of a data breach there are two general cost categories.  The first are lawsuits from individuals whose private information was breached or other companies who suffered a financial loss due to your company having a breach.   Costs would include the cost to defend your organization and also any court awarded damages or out of court settlements.

The second are the cost a company incurs to investigate, notify, and rectify the situation before a lawsuit is even presented.  This latter category, which we will call INR, is what we are going to focus on; not because that figure is easier to quantify but has it has immediate impact on the financial resources of a company or non-profit organization.

 Some of the INR costs come from the following: 

1. Finding out how the breach occurred.  If this is not performed by internal staff an outside Forensic Investigator is hired.
2. Finding out who was affected by the breach.
3. Hiring an attorney to investigate what laws apply to the breach, identify who must be notified and how soon you need to act.
4. Notifying the individuals via directly by mail/email and by other media outlets.
5. Notifying government agencies and officials on both the state and federal level.
6. Hiring a Public Relations firm to help direct and manage your message to the media and public.
7. Managing a call center to handle customer phone calls and credit monitoring services for those who were affected by the breach you had.  Some laws require you to provide credit monitoring for a period of time.
8. Dealing with legal costs from a government agency investigating you because of a breach.
9. Fines & Penalties from a government agency due to the breach you had.

One data breach calculator we encourage people to look at is found here.  It will give a business owner a general idea of what the above mentioned costs could be.  Using this calculator the 14,000 records stolen from Impairment Resources would probably cost about $2,327,808.  Bear in mind this not a firm number however it gives you an idea of the financial impact and can explain why a company like Impairment Resources went into Bankruptcy.

Even with such a high figure already there are other costs the data loss calculator does not provide.  Some of these costs are more specific to your company such as: 

1. Loss of Income from a data breach.
2. Cost to recreate lost or damaged data.  Some companies have had their data corrupted by thieves after they copied it.
3. Cost to replace stolen or damaged equipment.
4. Threats of Extortion.  In rare cases there have been threats made to a company stating if they didn’t pay a ransom that stolen private data would be released, destroyed or corrupted.
5. Costs to upgrade internal policies, procedures or computer hardware/software and security systems to prevent a future breach.
6. Overtime Payroll for employees who are now handling an additional task(s) due to the breach
7. Lost opportunity costs.

What would be the financial impact to your company or organization if you had a data breach?

We have been counseling New Jersey based companies on the impact of a data breach and the most common perception is it can’t happen here.  But in reality it can.

Over the past 10 years we have seen new privacy laws on both the state and federal level apply to any businesses that use or obtain any of the following information of their clients: 

1. Credit Card or Bank Information
2. Drivers License Numbers
3. Medical Information
4. Social Security Numbers

The Wall Street Journal reported about a business that never keeps client information but yet suffered a breach.  The business was a retail book store, who found out that for a period of time their Point of Sale Credit Card processing software was compromised by a computer hacker.  Malicious software copied the credit card information and sent it over the internet to an unknown party.

Even if you think that your company is too small to be on the radar screen of a malicious attack think again.  Impairment Resources said their assets are only worth around $226,000.  Can your company afford to pay for a data breach?

More insurance carriers are coming out with insurance products that are designed to provide protection of a data breach.  But not all policies are the same, even though they may call their product by some generic name like Privacy Liability Insurance or Data Breach Liability.

For instance some policies only provide coverage if there is a data breach that happened over the Internet.  But would not provide protection for a breach similar to what Impairment Resources had.  Other policies provide protection for lawsuits that result from a breach but not provide reimbursement for INR costs.   There are so many variations that it would take few more articles to our blog to point out the differences.

In conclusion while we do not know the exact financial figure that brought Impaired Resources to declare bankruptcy, we can get a general idea of how severe it could be.  Also insurance coverage is available to help offset some of these costs should a company have a data breach.  But it’s important to understand the kind of coverage you need.

If you have any questions or would like to discuss this topic further, give us a call or drop us a note at info@rueinsurance.com.  We would love to hear from you.