Data breaches have been so common in professional businesses and retail in the last 5 or so years that, like stink bug invasions or polar vortex freezes, people simply accept them as a fact of life.
As individuals have found out, banks can cover most of the damage that a company’s financial data breach can do to their bank accounts or credit cards. But when it comes to personal data like social security numbers, birthdays and health records — data that can’t be changed — there isn’t much that can be done.
On the company side, a breach can devastate a small business and be incredibly costly to enterprises. And with every breach, trust in a company flags. As the Ponemon Institute’s recent Cost of Data Breach Study: United States report points out, the biggest financial cost to companies is in the form of lost business.
Data breaches have become like background noise, but that doesn’t mean they’ve become any less costly. The current total average cost paid by organizations rose from $6.53 million to $7.01 million between 2015 and 2016. Because the data hasn’t changed much in the last 7 years, Ponemon considers the cost to be a permanent one businesses will have to face.
That said, here is what you need to know about the cost of data breaches from 2016 heading into the new year.
The 2017 Data Breach Cost…Depends
$7 million dollars. $7 million dollars for something so small as an employee slip-up.
Like leaving a flash drive with company docs behind at an offsite meeting. Accessing a network drive on free wifi at a coffee shop. Using personal email to send client documents containing Personally Identifiable Information (PII). As detailed in this article on Shadow IT, unintentional employee error is incredibly common and costly.
However, as mentioned above, $7.01 million is the average cost, which means the penalty isn’t going to be the same for everyone. It can even be different for companies of the same size because it doesn’t necessarily depend on how big you are, but what sort of data you deal in.
For instance, those companies that deal in PII (personally identifiable information) and PHI (protected health information), because they are typically regulated by an outside entity, will have a far larger impact and effect than, say, an agency that does market research. Healthcare, life science and finance have higher fines and an above-average rate of customers and business lost as a side effect of a breach.
While the current average cost per record is $221, the healthcare industry cost can be up to $402 per record.
You Had One Job: Out-of-the-Box Settings
You’d think a tech team at a hospital would be sure to check the default settings of a file sharing and storage application, but you’d be wrong in this case.
In 2011, St. Joseph Health, a West Coast hospital system, used a storage service that also had a file sharing feature. The default setting on the file sharing feature was to make everything public. While the hospital did have a risk management company assess their systems, it was apparently not enterprise-wide, resulting in a less-than-desirable security assessment.
So, what was the default setting on the file sharing feature? It was apparently set to make any files uploaded publicly available. In the end, from 2011 to 2012, a total of 31,800 medical records with names, medical diagnoses and health information could be found using search engines like Google.
In the end, St. Joseph settled for a payment of $2,140,500.
A “Trusted” Business Associate
The cost of a data breach can also depend on who you trust. Your entire company could be security-conscious and impressively impervious to error, but if you don’t hold your vendors or contractors to the same standard, you may end up being the scapegoat for their mistakes.
It happened to the Children’s National Medical Center (CNMC) in Washington, D.C. last year. A medical transcriptionist company, Ascend Healthcare Systems, had misconfigured an FTP server and accidentally made the “names, dates of birth, medication, and physicians’ notes regarding diagnosis and treatment” available for indexing by search engines.
Even though CNMC’s contract with Ascend was terminated in 2014, Ascend still had records from CNMC’s medical transcriptions on their FTP server in 2016 — records that were supposed to be deleted upon their contract’s end. Because of the configuration error, the transcription records of 4,107 young patients could be found by a simple name search on Google.
While a fine has not been officially cited, it’s likely that because Ascend signed a Business Associate Agreement (BAA), they will be liable for costs related to the HIPAA violation. If we were calculating by the per-record cost of the 2016 Ponemon study, Ascend’s loss could total more than $1,651,014.
Treating Sensitive Data Like Any Other Data
Unlike CNMC, who at least had a BAA with Ascend, meaning that Ascend would be liable for costs, Oregon Health & Science University (OSHU) had to take full responsibility for the ePHI of 3,000 patients they stored on a cloud server in July of 2016.
Because there was no BAA with the cloud server provider, there were no specific security standards the provider had to be held to. When an assessment was done, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) found that it was possible 1,361 of these individuals could be opened up to significant harm because of this.
OSHU also failed to properly encrypt patient information, with 2 unencrypted laptops discovered and a report of one unencrypted flash drive stolen.
OSHU ended up paying the OCR $2.7 million for their negligence in safeguarding PHI.
Safeguarding Sensitive Data with Proper File Management
As you can see, the breaches above could all have been halted or even prevented with the proper file management. Whether it’s setting up an FTP server properly, verifying settings on a third-party file sharing app or providing an alternative to unencrypted laptops and thumb drives, it’s very apparent that a secure file sharing and storage app is absolutely necessary, especially since per-file costs will keep rising into 2017.
To shrink the cost of a data breach and avoid the loss of data, profits and trust, a business must put every effort into safeguarding their private and sensitive data. This can be made all the easier by using a trusted file management and governance provider.
Minimize Your Cost of a Data Breach
Worried that a slip up might cost you millions? Go with a governance-focused file management solution. We’ll sign BAA agreements as well.
Want Cloud Storage?
Your files are stored safely on our cloud servers, cutting both hard and soft costs.
Need Enhanced Security?
Our on-premises server, sits behind your firewall for enhanced security.
“We choose SmartFile because it is user-friendly, easy to setup, quick, efficient and customizable. SmartFile has made sharing files with our contacts, clients, consultants and between associates a whole lot quicker and easier.”
— Thanh Ly, Senior Database Administrator, Albert A Webb Associates