Once an organization's network is breached, extinguishing the flames is just the first step in a long, painful and costly journey to recovery. There's still the wreckage to sift through, investigators to perform analyses, insurance claims and, of course, a business to reconstruct and secure. It isn't business as usual once operations are restored; a breach can plague an organization for years.
Financial aftermath smolders
Not long after the event, the breach's impact on stock price and earnings becomes clear. In July, just weeks after it was breached by the NotPetya malware, FedEx announced it expected a material loss associated with the attack. Medical software vendor Nuance issued a similar warning that revenue and earnings results would be negatively impacted by the ransomware.
Studies have shown that after a breach, a company's revenue losses average between $2 and $4 million, the stock price drops between three and seven percent, and a significant number of customers are lost.
Then come the lawsuits
In the months following a breach, litigation notices arrive, kicking off a process that could drag on for years. In just the last 24 months, nearly $370 million was paid to settle data breach lawsuits in the US. Among them, two settlements totaling nearly $45 million by Home Depot, and a $28 million settlement by the poster-child of data breaches, Target.
But the largest class action lawsuit in history belongs to Yahoo! A week after it announced a 2014 data breach had compromised the private information of 500 million users, attorneys filed a negligence lawsuit against the tech giant for failing to protect consumers. The potentially devastating effects from the loss of personal information can mean huge settlements for victims.
Then shareholders arrive with flaming torches
Investors are increasingly looking to hold company directors and officers accountable for breaches, citing violation of fiduciary duty, waste of corporate assets, and gross mismanagement.
After the Target breach, shareholders filed a suit against 13 officers and directors, alleging breach of fiduciary duty and waste of corporate assets. A similar suit against Wyndham Worldwide was filed in 2013. In February of this year, Yahoo shareholders filed a complaint claiming the company failed to properly alert consumers that 1.5 billion users' data was stolen by hackers.
Shareholder lawsuits are a red flag for company directors, a warning that they must keep on top of cybersecurity issues. While the Target and Wyndham suits were dismissed, it wasn't without significant legal costs. And lawyers will continue to pursue this type of litigation in an effort to capitalize on the chronic cybersecurity risks companies face.
Next come the Feds
Depending on the nature of the breach, the information compromised, and the readiness and response of the company, both federal and state enforcement authorities – now cracking down on data breaches -- may also come knocking.
If a company is found to have violated the Health Insurance Portability and Accountability Act, the Department of Health and Human Services will get involved. Managed care provider WellPoint shelled out $1.7 million in 2013 to settle alleged HIPAA violations related to a breach four years earlier.
If a company fails to provide adequate security or fails to live up to their stated security standards, they can be sued by the Federal Trade Commission. If security lapses can be classified as unfair, deceptive or as abusive conduct, the Consumer Financial Protection Bureau can bring action. If a communications company fails to properly protect customer information, actions by the FCC can result. And so it goes. Government is on high alert when it comes to breaches.
Finally, got cyber insurance?
Whether covered or not, cyber insurance may not be the panacea organizations hope for. As data breaches occur with increasing frequency, insurance companies are looking to cash in on what could be a multi-billion-dollar market. But it's a new frontier and the industry is grappling with the fact that a single vulnerability could trigger billions of dollars in losses. So buyer beware!
For organizations that go this route, it's not always clear what such coverage entails, where existing liability policies end and cyber insurance begins, and whether they're comprehensive in terms of exposure. Sony went to court to force their insurers to cover the PlayStation Network breach and a judge ruled that the policy covering the "publication" of private information could not be triggered by hackers. The parties eventually settled out of court before an appeals panel ruling. There will certainly be more litigation over what is and isn't covered in the future.