What are the financial costs of a data breach?
It has been a while since we last examined what sort of financial costs companies were enduring due to data breaches. As it happens, they’re finding out that information for themselves.
In the news this week are examples of a few such penalties. A 2016 breach is now costing retailer Eddie Bauer a $9.8 million bill, in a settlement with Veridian Credit Union. The bulk of their expenditures, according to documents filed with the U.S. District Court for the Western District of Washington, will be the approximately $5 million spent on improving their cybersecurity systems to prevent another incident in the future. Despite the settlement, Eddie Bauer “disputes the claims alleged in the Litigation and does not, by this Settlement or otherwise, admit any liability or wrongdoing of any kind.” Hopefully, this does not indicate a shortage of serious attention given to protecting their payment systems. Retail Dive suggests that these retailers may not be taking enough proactive steps to combat this issue.
Then again, if a business doesn’t believe it committed any wrongdoing, how can it take such measures?
Touchstone Medical Imaging is another company paying data breach settlements. Due to potential HIPAA violations stemming from an incident in which 300,000 patients had health data exposed, the company has agreed to pay $3 million to the Office for Civil Rights (OCR). In addition to the payment, a “corrective action plan” is required of Touchstone. All this is the result of accidentally allowing search engines access to patient data several years ago. In this case, Touchstone was found guilty of not sufficiently heeding for some months the warnings of both the FBI and OCR, who notified them of the vulnerability. Nor did Touchstone have business associate policies in place with their third-party vendors, agreements which ensure continued data protection across different business environments.
Financial penalties like these are nothing new. Along with reputational damage, they are the most serious consequences a breached entity can face. Last year Neiman Marcus paid $1.5 million, and companies like Amazon and Nordstrom have also suffered them. Unfortunately, for those who ignore the warnings or don’t achieve compliance, they will face the same results.