U.S. companies are paying more to notify people impacted by data breaches, according to the 2011 Cost of a Data Breach Study: United States. The average cost to notify victims of breach increased in this year’s study from approximately $510,000 to $560,000. At the same time, the average size of a breach is down 16 percent and the costs associated with the detection and escalation of data breach events declined as well, suggesting that companies may be more efficient in investigating data breaches.
So, if companies are better at detecting breaches and breaches involve fewer records, why are notification costs continuing to creep up?
The simple answer is there are more laws and regulations governing data breach notification. Forty-six states now have data breach notification laws and there are other regulatory requirements to deal with, for instance HIPAA and HITECH. While each state's requirements for notification vary, notification is typically required when personal identifying information (PII) has been or is "reasonably believed" to have been breached.
There are some recent state breach law updates that companies should be aware of as well. In January, California updated its breach notification law to include more information in notices. Illinois also updated its law to include more details. But the biggest update on the state level will come next fall when a Texas law will go into effect that requires any company that does business in Texas (even if they have just one customer there) to notify all affected customers if a breach takes place, not just Texas customers.
The Securities and Exchange Commission (SEC) also issued guidance in October 2011 prompting public companies to disclose privacy breaches because they can be material events. The new SEC guidance does not add any requirements to a company's state-by-state obligations, but companies should consider the SEC's current position when weighing whether disclosures must be included in filings.
Ultimately, all of these regulations requiring disclosure are not only increasing notification costs, but they’re also making consumers somewhat numb to data breach notification. The most recent data from the Ponemon Institute on the cost of a data breach shows that consumers are less likely than before to take their business elsewhere when a company has a data breach. This is a significant shift. When notification requirements first came on the scene, it was always couched in identity theft with real cases of people losing real money and their lives being disrupted. But, as time has gone on and notification requirements have evolved, consumers now may get a handful of notifications and may never suffer financial loss or identity theft. I’ve gotten quite a few of these myself, and I’ve yet to suffer a financial loss as a result.
With all of these changing regulations, any organization that stores sensitive data needs to be in the know. It doesn’t matter if it’s customer credit card numbers, social security numbers, patient health information or email addresses, you need to protect it. It’s definitely not cheaper to deal with losses, so investment in tighter controls makes sense.
To estimate your organization’s risk exposure, visit: www.databreachcalculator.com.
What are your thoughts on data breach notification laws?