Don’t be a target: The true cost of a data breach
We all remember the news story from 2013 about Target’s data breach in which the names, email addresses, and credit card info (including expiration dates and encrypted debit card PINs) of some 40 million customers were hacked. As a result, Target committed more than $10 million to settle claims by customers affected by the data breach. Unfortunately (like a bad Chipotle burrito), the tarnish to the Target brand continues even today – 4 years removed – with the latest announcement that Target will bepaying an additional $18.5 million to end data-breach probes. Take that in for a minute.
Nearly $30 million and years of negative publicity, and it’s not over yet. It’s a big number, but not even the figure of most consequence in the whole ordeal. Target stated that the total cost of the data breach has been $202 million, and while they’ve settled with financial institutions and states, they have yet to finalize a consumer settlement.
What’s often not discussed is just how easily such a thing could happen – how small flaws in otherwise impregnable security postures can result in the loss of millions of dollars in revenue. Third-party environments with your business partners are also targets (no pun intended) for those looking to compromise your environment. Keep in mind that hackers actually infiltrated Target’s environment through an HVAC company. For a smaller business, an event even a fraction of this size could easily result in closing the business for good. Forget tornadoes, fires, or floods; what is your “disaster recovery” plan for a cyber attack or data breach?
Enter the bureaucrats.
In December 2016, the State of New York’s Department of Financial Services (DFS) group put forward 23 NYCRR Part 500, a 14-page document on cyber security regulations for companies who work with the financial services industry within the state of New York, as well as New York consumers. Even if a company is not part of the financial services industry, if its customers are a consumer within the state of New York, the company is potentially liable under this new code. Thankfully, there’s a cyber security FAQ (limited helpfulness notwithstanding), but the major point of the whole thing is that the State of New York is requiring anyone who does business with consumers located within the state must utilize encryption for both data-at-rest as well as data-in-flight. Similar measures are also on the books in every state, except Alabama and South Dakota, with varying requirements.
Could your business afford to pay out nearly $30 million? How about having to apologize to 40 million customers? Helping customers avoid these kinds of expensive and embarrassing events is only one aspect of the portfolio we at ReluTech bring to the table for our customers. We help customers of varying sizes (from enterprise to SMB) address their security needs to make sure their businesses are protected and resilient in day-to-day operations – whether on-prem or in the cloud.
We look forward to helping you, as well.
We hope you enjoyed this blog! If you would like to read more blogs about third party maintenance from our Reluheroes, click here.