Kelley to present a CLE webinar to Women in eDiscovery - Indianapolis Chapter on June 5 on the topic: Fabricating & Concealing Data on Smart Phones.

The Costs of Data Breach: Incident Response (Part I)


The Costs of Data Breach: Incident Response (Part I)

In the previous blog, Vestige’s Chief Technology Officer, Greg Kelley, covered the advantages of a HUNT TEAM and how it provides proactive, long-term cyber defense. This preventive approach can potentially save organizations millions of dollars by stopping cybertheft and damage BEFORE it occurs. He also mentioned the devastating effects data breaches can have when a HUNT TEAM is NOT in place. So that brought on the idea for a new, 3-part blog series to take a look at the flip-side. What can happen to those organizations who wait and must react — AFTER a data breach occurs. Read this first in the blog series:

The Costs of Data Breach: Incident Response:

Data breaches have become widely known and publicized in the last few years. This isn’t because data breaches didn’t exist before but is closely correlated to today’s advancement in technology and the laws that are now in place to protect individuals’ sensitive and private information.

With this publicity comes increased attention and increased costs. IBM’s 11th annual “Cost of  Data Breach Study” states that the average cost of a data breach in 2015 was $3.8 million. In 2016 the price increased to $4 million. On a “compromised record” basis, the cost of individual records being compromised rose this year from $154 to $158 per record.

The cost of a breach can be broken into three separate components:

1. Cleaning up after the data breach
2. The litigation process and penalties and fees that follow
3. Reputation loss

Dealing with the Aftermath of a data breach

In most cases, after a cyber intrusion is detected, it is found that the attacker has been in the environment for around 8-12 months. This is plenty of time for the attacker to learn information about the environment or install back doors so that there is always a way back into the network. Any remediation must take into account whether the organization has rid themselves of the attacker to prevent future compromises.

After a data breach is detected there are steps which need to be taken to start the damage assessment. The first step would be to identify what specifically was compromised in the data breach. This data breach analysis process can be done by the company’s IT staff or the organization can bring in a 3rd party forensic company to assess the environment. Assessing what was compromised can be difficult task because the IT staff may not know where to start the investigation for the data security breach or know what artifacts to review to see what was compromised. Additionally, there is a difference between what may have been compromised and what was compromised. Today’s laws lean toward “if you can’t prove that a record wasn’t compromised, you have to assume that it was compromised and then act upon it with that assumption”—a fact that can oftentimes be quite significant!

While hiring a 3rd party forensic company to help with the assessment process may seem expensive at first, oftentimes it will make the process less expensive in the end. For instance, in a recent breach, Vestige Digital Investigations was able to prove that the scope of compromised records of a database containing 3.6 million records was actually only 11,000 records; whereas the organization’s IT resources didn’t have the requisite knowledge to narrow it down, forcing it to assume that the entire database was compromised. Being able to affirmatively prove that only this small percentage of records was compromised had an immense impact on the overall cost of the breach. An outside forensic company that has this expertise and focuses on this around-the-clock can shorten the investigative window and lead to tremendous savings overall. Depending on the complexity of the organization’s environment, the scope of the breach and the data compromised, forensic analysis can be in the low tens of thousands to upwards of a hundred thousand, but the savings could be in the millions.

The next step in dealing with a data breach would be to start with the litigation and notification process.

Litigation and Notification

When looking into the litigation aspect for cyber-attacks, organizations often want to know who is responsible for the damages the attacker has made. The answer is that it depends. There are multiple ways a company can be compromised. Assessing a start point with the breach is key when attempting to mitigate costs.

If the attacker only compromises your network and you were the originating point, then the only thing to worry about is what specific data was actually compromised and what obligations are in place for this compromised data. If the attack originated in your network but has branched to other organizations that you work with, then it becomes a more complicated process. The name for this is “Upstream Liability.” Upstream liability is when an organization has been compromised by one of its affiliate trusted parties or vice versa. In Upstream Liability, there is an existing (and often formal) relationship in place between the organizations.

On-the-other-hand, if the investigation for the breach leads from your organization to another organization’s network or vice versa and there is no affiliation between your organizations, then this is what’s called, “Downstream Liability.” These two types of breaches are believed to be the most costly because of the collateral damage that could occur. Not only will the breached organization have to worry about the costs that it incurs for itself but it may have to cover any damages to its affiliates or non-affiliates.

Most of the time when there is a relationship between two organizations, there are legal policies and procedures in place for these specific circumstances. Having these policies in-place will help mitigate costs and allow each party to truly understand what they are responsible for. If there is a breach between two parties that have no relationship, the cost could be much greater depending on the damage that was caused.

Once an organization has assessed what has been compromised, it goes through a process of determining what legal obligations it may have and what it has to do to let customers, vendors, stockholders and employees know what has happened. This also includes any kind of violations due to PCI or HIPAA compliance.

It is interesting to note that when healthcare or financial data is compromised, the costs escalate. For example, if healthcare data is compromised, the average cost per record is not 158 dollars per record, as earlier stated, instead the cost per record skyrockets to 402 dollars per record. If the compromise contains financial records the cost is also much higher than the average record cost. The average cost per record for financial data breaches is 264 dollars per record. There can obviously be much more in the final cost depending on what specific data is kept in the network. Notifying stockholders is another big issue when it comes to final costs. In the end this can affect the organizations’ market capitalization. Additionally, disgruntled shareholders may start or join class action litigation against the organization, as we see with many of today’s breaches.


The biggest concern for most organizations is the hit to its reputation. There is still a stigma for organizations that have been breached. Not only do they lose business from their current consumer pool but sometimes fail to gain new business due to their track record.

In its “Reputation Impact of a Data Breach” survey , Experian correlated the impact of reputation or brand image loss with data breaches. The study found that 76% of the organizations stated that their reputation or brand image was impacted moderately to severely when there was a loss or compromise of customer data. These same companies reported a loss in value of their brand by 21%. Similarly, over 75% of the companies were impacted moderately to severely when their intellectual property data was compromised. They reported a drop in value of 18%. The average recovery time for reputation or brand image loss is around 8-12 months. It is something that most companies have difficulty overcoming, if and only if they are able to endure the loss.

Proactively Managing Data Breach Risks

A data breach can often be mitigated or completely avoided with the correct precautionary steps taken.

1. Make sure that the organization is being proactive. The creation of a HUNT TEAM would be best in this situation but it is understandable to see where companies cannot afford to create a HUNT TEAM due to a lack of resources. In those cases, the below policies would be a good starting point:

a. Establish a Data Breach Response plan,
b. Identify Sensitive Data and how it is being protected,
c. Map the Flow and Processes that incorporate that sensitive data and determine gaps in controls designed to protect the data and detect when it has been compromised,
d. Ensure that System and Network Logging is Occurring and logs are managed and retained for an appropriate length of time, and
e. Establish Formal Documentation on the responsibilities and liabilities of each organization in a trusted relationship.

2. Completing an Annual Assessment would not only keep the organization on the proactive side but it would also provide useful information for the entire staff as they conduct their normal business throughout the year. This allows the company to understand what data is sensitive and where it is stored. This will also allow the internal IT staff to understand what to do and what to look for when a data breach occurs.

3. Engaging a 3rd Party Forensic Company to assess your business is something that most companies overlook. The most valuable information to an organization can come from un-biased professionals that deal with hundreds of similar situations. The 3rd party forensic company will have to learn how the data flow works in your environment, will locate where sensitive data is stored, discover what rules or triggers are put in place to detect intruders, and they look to ensure that the environment is hardened to Best Practices security standards.

In Conclusion

These are just some of the steps to take when looking to properly avoid data breaches and damages. If you have any questions or want to know more about the topic of Data breaches and prevention feel free to contact us here at Vestige.

Zach Rigeway webBy Zachary Ridgway, DFCA
For more information CONTACT US.