Companies suffering data breaches often find themselves struggling to navigate the challenges of the so-called “breach triangle,” as a victim, defendant and potential plaintiff. More often than not, the already overwhelming situation is exacerbated by the risks associated with failing to roll out the proper response.
According to Kristofer Swanson, Vice President and Forensic Services Practice Leader at Charles River Associates (CRA), “Because there are often numerous economic costs and losses in these situations, companies risk making tactical, legal and disclosure decisions based on incomplete estimates of – or strategically inconsistent approaches to – the comprehensive impact of a cyber-incident.”
Identifying the economic consequences of a data breach as soon as possible can help victim quantify the damage done, allowing companies to move towards a solution to correct the damage. A key stepping stone in getting to that point requires companies to recognize which consequences are the easiest to identify, and then quantify.
“Typically, the [easier] ones to capture are in a company’s general ledger accounts in the normal course of maintaining its books and records, such as penalties and fines, as well as investigation and notification costs,” stated Peter Resnick, CRA Vice President.
Time is of the essence during a data breach, both in terms of the harm that could be presented to a company’s tangible and intangible values. Identifying the easy-to-catch economic consequences could help narrow down the harder to find problems presented by a data breach. It may be able to help mitigate any other additional damages done to the company’s reputation, both internally and externally.
Resnick continued, “However, a company may sustain additional economic consequences, including harm to their reputation, increased customer or employee turnover, greater cost of capital and lost future profits.”
Insurance policies may help a company recover from the damage, however there’s no guarantee as to what effect they will have. Swanson noted that “some costs may also be recoverable from third parties and/or claimed under existing insurance policies. However, these costs can be challenging to quantify defensibly and often require complex calculations and sophisticated analytical capabilities.”
The damage done to a company done by data breaches, be it accidental or malicious, can be turned around with the right steps during the aftermath, possibly steering a company back on the right track towards value creation. Nonetheless, a risk management strategy proves to be a crucial element in preventing a data breach in the first place.