When organizations first begin to address what can seem like the insurmountable task of PCI compliance, many may want to give up. They may convince themselves that just dealing with the possibility of a data breach will be easier than achieving and maintaining compliance with all 300+ requirements of the DSS. Unfortunately, these organizations don’t realize how much damage a data breach can really cause, both directly and indirectly, for their customers and for their organization.
The Ponemon Institute’s 2017 Cost of Data Breach Study, released last month, examines data breach incidents globally, and determines the overall implications and costs to organizations annually. For the first time since the study was created in 2006, the report documented a global decrease in the overall cost of a data breach. Unfortunately however, in the U.S., the average cost of a data breach is rising and is now $7.35 million, which a 5% increase compared to 2016.
According to the report, the average number of records exposed during a breach is 28,512, and the average cost for each stolen record containing sensitive and confidential information has increased to $225 per record, a new record high. That report goes on to break down the $225 into direct and indirect costs. Specifically, $146 can be attributed to indirect costs like abnormal loss of customers due to reputational damage and $79 represents direct costs incurred to resolve the breach, such as investments in technology or legal fees. Sadly, this cost increases to $244 per record when the breach is due to malicious activity or a criminal attack.
Industries such as healthcare and financial services have higher costs per record (over $300) due to increased regulation and disclosure requirements, as well as a higher rate of customer churn due to reputational damage. Industry experts also state that the cost of detection in healthcare is often higher because organizations lack the tools and expertise to understand and identify potential breaches. The average cost of a data breach in the U.S. education industry came to $245 per record. Why the increase for higher education? The report identifies two specific trends that create additional expenses for colleges and universities: the increased use of mobile platforms, which increase the complexity of IT security risks and created an additional cost of $6.50 per record breached, and compliance failures, which added $19.30 due to imposed fines and penalties. The high costs for education are also due to the fact that it takes longer to identify and contain data breaches. Incidents in higher education require an average of 221 days to contain the breach and another 83 days after that to fully respond. In comparison, the financial sector averages 155 days to identify, contain, and respond to a data breach.
As your organization looks to identify ways to cut costs, information security is one of the simpler steps to take. Time is money, and the faster an organization can identify and contain a breach, the lower the cost will be. If a breach was detected in 100 days or less, the average cost was $5.99 million, but if it was greater than 100 days the cost increased to $8.7 million.
Here are some costs that should be factored in when your organization is weighing the risk of a data breach:
- Fines – In the event of a data breach, the card brands can assess fines of up to $500,000 per brand, per breach.
- Breach notification – Your organization may have to notify all victims and replace any cards.
- Credit monitoring – Your organization may also have to provide credit monitoring services for several years following the breach at anywhere from $10-$20 per card.
- Forensic investigations – Hiring a third-party organization to determine the cause of the incident can be very expensive.
- Attestation requirements – Your organization’s merchant level can be increased and you may have to validate via a Report on Compliance (ROC) instead of a Self-Assessment Questionnaire (SAQ).
- Penalties – Increased processing fees or removal of ability to accept payments.
- Legal fees – Victims or organizations involved may also file civil suits.
- Reputational damage – This can be the most significant cost and one that will continue for years following a breach. In a typical breach, over 50% of the cost is due to lost customers, increased customer acquisition activities, and diminished goodwill.
Being proactive about cybersecurity through infrastructure updates, requiring strong passwords, use of multi-factor authentication, implementing employee training, and ensuring a proactive incident response plan is in place are just a few of the other ways organizations can reduce the reputational and financial consequences of a data breach. The Ponemon Report showed that organizations with an incident response team in place were able to lower cost per record by more than $19. Those that use encryption extensively reduced costs by $16 per record. And a comprehensive training program for staff lowers the cost by $12.50. There are more examples to be found in the full report, but this should provide you with an idea of just how quickly compliance with the PCI DSS can begin to pay off, and the significant impact ignoring them can have on your bottom line.
Please reach out to us with any questions.
Some additional guidance from our Security Advisor team below:
[Gilmore]: The loss of sensitive data is a terrible blow to an institution no matter if it is a retail business, government agency, health care facility, or a learning institution.
Many leaders in these areas decide that having insurance is the simplest way to mitigate a problem, however this is not true. It may be a way to pay for the immediate costs, fines, and fees, but it does little to persuade those now hurt customers who are likely to not trust your processes any more to make any purchases. Many of these customers not only have an issue with the lost identity, but maybe they are now in a financial pickle with their mortgage company, auto finance company, day care, power company, and many other daily situations that are now not able to be accomplished because of poor security choices surrounding the protection of *their* information.
The best way to lower the risk of losing someone’s sensitive data is reduce your organization’s PCI footprint. Review *all* procedures for handling payment card information. If it isn’t secure, fix it, especially if the process is an electronic method of collection, storage or transmission. Also, clean up any paper used to collect payment information. Any storage of credit card information on paper needs to have a defined reason, and *good* reason.
It is not the intention of the PCI DSS to stop business from happening. Without business there would be no need for the security, however, security must always be brought to the level of the business operation.