Since February 2005 (tracking date begins with ChoicePoint debacle), the Privacy Rights Clearinghouse has identified over 99 million data records exposed because of security breaches. Further, as reported by Network World, a recent benchmark study from the Ponemon Institute found that the average cost of a data breach for a company is nearly $5 million. The study also recorded a rise in expenses for recovery costs, including costs to notify customers of the breach. As previously blogged, the majority of U.S. states currently require or are considering legislation to require that companies notify their customers when the security of personal data has been breached. While the Ponemon study only surveys 31 companies, the study does provide data for actual costs incurred by the companies surveyed. It’s worth checking out, if only to get a feel for the incremental costs companies can incur when complying with legislated customer notification requirements.
Insurance coverage is available to transfer some of the risk arising from customer notification expenses. Look for policies providing supplemental payments, or limits, for privacy notification and crisis management expenses. And look for those limits to include protection for such activities as credit monitoring services, public relations related activities, communications to notify customers and immediate steps taken to minimize the data breach and re-secure the information. Check out the Security section of our blog for more information about identity theft and insurance coverages.