The Consequences of a Breach: Can your business survive a cyberattack?
May 14, 2021
Capital One, Microsoft, Marriott, and more—cyberattacks on major companies seem to dominate the news. And yet, according to Verizon’s 2019 Data Breach Investigations Report (DBIR), nearly 43% of breach victims are small-to-medium sized businesses (SMBs). Findings from the Insurance Bureau of Canada (IBC) even show that nearly one in five businesses (18%) have been affected by a cyberattack or data breach in the last two years.
Despite the surge in attacks worldwide, the general consensus remains the same: SMBs aren’t doing enough to bolster their cyber hygiene. 44% of small businesses have no defense against security incidents and 66% have no insurance to help them recover if an attack occurs, citing insufficient personnel and lack of resources as the main deterrents—and that was before the onslaught of COVID-19.
We know what you’re thinking: you’ve heard it all before. It’ll never happen to you. And even if it does, you’ll be fine, right? But the truth is: when client data is compromised in a breach, managing the aftermath can be time-consuming, costly, and downright disastrous for your brand image. Read on to find out why.
1. Regulatory Violations
To combat the growing threat of cybercrime, government and industry bodies across the world have introduced extensive privacy laws for all organizations that store personal data. These mandates, like the European Union’s General Data Protection Regulation (GPDR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and more, are intended to strengthen accountability for unsecured data and penalize companies for the failure to safeguard, retain, or dispose of any personal information in their custody. Additional regulations may apply to organizations that collect personal health information, like PHIPAA in New Brunswick, PHIA in Newfoundland and Labrador, PHIA in Nova Scotia, and PHIPA in Ontario.
Although legislations vary between regions, they share some key points when it comes to data collection:
Data is subject to the rules and requirements of the region in which it is processed and where the client resides—not the business. This is a crucial point for any organizations that employ third-party software or cloud-based services, which may entail the cross-border transfer of information. To learn more about how cloud computing complicates jurisdictional privacy laws, read our whitepaper: The Cloud: Not Just a Place to Daydream Anymore.
Companies must, at all times, know where their data is located, who has access to it, and how it is protected. To learn more about PIPEDA’s requirements, read: All About PIPEDA: How do privacy laws affect my business?
In the event of a privacy breach, companies MUST alert all victims and appropriate governing bodies.
Unless companies take reasonable steps to secure client data, they risk severe penalties for compliance violations. If an organization is found negligent of an offence under PIPEDA (or any applicable provincial legislation), they could be held liable for up to $100,000 in fines.
And that’s just the tip of the iceberg. With cybercrime at record levels, privacy laws will only get stricter from here on out.
RELATED: Privacy Law Update: Are you ready for privacy law reforms?
2. Financial Loss
Privacy breaches almost always end up being more pricey than anticipated. The Desjardins Group’s 2019 breach ultimately cost the organization a staggering $108 million, well over their initial estimated total of $70 million. While that’s certainly an exceptional case when it comes to breach expenses, IBM Security’s 2020 Cost of a Data Breach Report still puts the average global total cost of a data breach at $3.86 million.
Simply put, a data breach can be crippling for SMBs, most of which have limited cybersecurity budget to begin with. In addition to regulatory fines, detection and escalation fees can add up quickly, with records involving customer PII (personally identifiable information) costing $150 per loss. That means if even 100 of your clients are affected, you’ll be out a minimum of nearly $15,000 in breach expenses already.
Breach remediation also usually includes fees for: legal counsel and defense, data restoration, public relations assistance, credit monitoring, and more. Plus, there’s always a possibility that victims may sue for damages, injury, or harm caused by the breach, compounding your organization’s overall losses.
3. Legal Action
The rise of privacy breaches has been accompanied by a commensurate spike in class action lawsuits across North America.
A class action is a civil lawsuit enabling a group of people that have suffered similar injuries to seek justice against a single defendant. Class actions are about strength in numbers: they decrease individual burden and attorney fees; they give people who might not otherwise be able to afford to sue an opportunity to restore their losses; they allow victims to band together and fight for fair compensation. Basically, they allow the “little guys” to fight back. And as a result, they’ve become much more common over the last few years, amid rising sentiment against larger businesses, corporations, and entities.
In the event of a breach, victims typically seek restitution for negligence, emotional distress, wasted time, damage to credit reputation, and invasion of privacy, as well as compromised data. Here are a few examples:
Casino Rama: After suffering a massive breach in October 2016 that exposed the data of at least 10,990 people, Casino Rama, CHC Casinos Canada Ltd., and OLG were hit with a $60M class action lawsuit. The lawsuit was ultimately denied by the Superior Court of Justice in 2019, but Casino Rama still endured three years of litigation, administrative fees, research and reporting fees, and more.
Equifax: Equifax’s 2017 data breach affected over 145 million people worldwide (including roughly 20,000 Canadians), which cost them nearly $1.4 billion in losses. In January, Equifax was ordered to pay out $380.5 million to all U.S. clients.
LifeLabs: The hack, which occurred in December of 2019, affected up to 15 million Canadians and has spawned multiple class action lawsuits, which have yet to be certified, for over $1.13 billion in compensation.
As the frequency and severity of breaches continues to mount, we can expect to see more group cases being brought to court.
RELATED: What We Can Learn about Canadian Privacy Laws from Casino Rama’s Pending Lawsuit.
4. Operational Disruptions
Business interruption costs can make matters worse. If your organization suffers a breach, you’ll need to hire a forensics team to determine how and when it occurred, what systems were bypassed, and how much information was compromised. During this review period, you might not be able to access your records, or they may be tied up in investigation or a litigation for a significant length of time.
Either way, there’s a chance you’ll have to shut down until the source of the breach—and an appropriate solution—are found, which could take days, weeks, or even months. In fact, the average life cycle of a breach from discovery to containment is 280 days. When a malicious attack is involved, that figure jumps to 315 days. Could your business comfortably survive being closed down for that long? Keep in mind: the longer your business is closed, the more likely clients are to leave. And the subsequent decline in revenue might prevent you from making a full recovery at all.
While system downtime will differ based on the organization’s size, industry, and available resources, an operational disruption of any kind will probably have a sizable and potentially devastating impact on business productivity.
5. Reputational Harm
The effects of reputational harm are severe, long-lasting, and often irreparable. At an average of $1.52 million, lost business remains the highest cost component of a breach (and has been for the last six years), comprising a whopping 40% of remediation expenses.
Why? When it comes to data security, word travels fast. And diminished goodwill, bad press, and a drop in share price, can arguably do more long-term damage than forensics or notification costs, especially if a company fails to take swift action, apologize to, or even notify breach victims right away. Once you’ve lost that trust, it’s not easy to regain, or attract new clients, employees, or investors for that matter. Highly regulated industries such as healthcare, finance, and pharmaceuticals are even more susceptible to steep turnover or churn rates since clients generally have greater expectations for privacy.
Still, companies continue to underestimate the effects of negative publicity. In 2019, CIRA’s annual Cybersecurity Survey indicated that only 13% of businesses felt that a cyberattack harmed their reputation. This is in sharp contrast to CIRA’s Canadians Deserve a Better Internet Report released the same year in which over 80% of Canadians said they wouldn’t continue to do business with an organization if their personal information was exposed in a cyberattack.
The Bottom Line
Regardless of the size or industry, all organizations, collect, store, and transmit vast amounts of confidential data, including:
Corporate data (e-signatures, valuable third-party connections, user credentials);
Intellectual property (project files, accounts); and most importantly,
Employee and customer PII (personally identifiable information).
And any business that collects, stores, and transmits confidential data is at risk of a privacy breach, particularly those that have an online presence, use e-commerce as a distribution method, or have company devices that hold personal or commercial information.
Given the global conditions, more companies are reliant on digital solutions, like email, cloud services, online forms, and more, than ever before. But these very technologies also boost their vulnerability to attack. And as more businesses expand their virtual presence, we will likely continue to see a steady and aggressive influx of cyberattacks.
RELATED: Cyber Risk Trends 2021: 10 Threats to Watch Out For.
What can you do?
Most SMBs believe that their business insurance will restore their records for a small add-on fee, but your general liability policies aren’t specifically designed to address cyber risk and won’t respond to cyberattacks unless explicitly stated. That’s why it’s critical for all organizations to adopt a risk management approach that focuses on cybersecurity AND Cyber Insurance to ward off any potential threats, shield their digital assets, and offset some of the financial costs.
For a list of standard cybersecurity measures, read: How to Keep Employees Cyber-Safe While Working From Home. For maximum protection, consider Data Security & Privacy Breach Insurance coverage. A dedicated, standalone cyber policy can help you access:
Funds for legal expenses and third-party damages;
A breach coach who will guide you through the legal process of navigating a breach under attorney-client privilege;
An IT forensic investigations team to help you determine the size and scope of the breach;
Funds to set up credit monitoring and notifications for affected parties;
A team of PR consultants to help manage your organization’s reputation;
Need guidance? PROLINK will help you plan and protect. We can share what steps others in your industry are taking and advise you based on your unique operations. To learn more about your cyber exposures, connect with PROLINK today or watch our video: What kind of businesses don’t need Cyber Insurance?
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.