Data Breaches: A Sidewalk Sale of Consumer and Personal Information

Avalution Team Avalution Team | Dec 08, 2009

data breach perspectiveData breach is a growing risk for organizations of all sizes and from all industries.  The number of reported data breaches in recent years has skyrocketed, and their cost can be devastating to an organization’s reputation and finances.  In addition, effectively responding to a data breach is far more complicated than simply sending a mass mailing to affected customers notifying them of the occurrence.  Given the potential impact of a data breach on an organization, cross-functional awareness and preparedness are a necessary addition to an organization’s business continuity program.  Continue reading to learn what a data breach is and why your organization needs to be prepared for one.

From a distance, it was business as usual for retailers in St. Paul, Minnesota.  But starting in July 2005, hackers outside of a Marshall’s retail store were shopping for more than just discounts on designer clothing – they had their eyes set on 45.7 million credit and debit card numbers, all easily accessible via the store’s wireless network.  Beginning that month, Marshall’s was hosting the largest sidewalk sale of consumer data in corporate history, a data breach that would ultimately cost parent TJX Companies more than $250 million.

Around the same time, a leading U.S. healthcare provider headquartered in Seattle, Washington, was experiencing a data breach situation of their own.  Over a six week period, Providence Health & Services experienced two data breaches including the theft of data back-up tapes and unencrypted notebook computers from employees’ cars in Oregon and Washington.  Despite the presence of an internal information security program, these breaches provided unauthorized access to 350,000 patient medical records, throwing the organization into “emergency mode” for 18 months in which they needed to hire more than 30 new security professionals and formally review  the organization’s information security policies.

In its simplest form, a data breach can be considered an unintentional release of secure information to a non-trusted entity.  As shown above, data breaches can involve two distinct forms of information:

  • Personally Identifiable Information (PII)
    Full name, social security number, bank account information, credit/debit card numbers (as experienced by Marshall’s), driver’s license numbers, etc.
  • Protected Health Information (PHI)
    Medical diagnosis, patient history (as experienced by Providence Health & Services), medications, etc.

Today, based on the explosive use of technology, data breaches have transitioned from simple dumpster diving and computer theft to complex data center intrusions and phishing schemes.  With that, news headlines from around the globe continue to detail new data breaches from organizations of all sizes and in all industries.  According to the Identity Theft Resource Center, more than 13.5 million records containing sensitive personal information have been released in 537 recorded breaches throughout the US this year alone.

So why is data breach awareness and proactive planning important to every organization?  As shown in the examples above, the importance of preventing a data breach from occurring is extremely valuable, but the ability to rapidly and appropriately respond and support the individuals and entities affected by a data breach is increasingly critical for financial, reputational and regulatory reasons.  Still, only 53% of companies have preparedness or communications plans in place, according to a recent Varolii study.  What’s more, Gartner research suggests that a poorly handled breach disclosure and notification may result in unwanted interest from regulators, or in criminal or civil action.

An attack on the bottom-line
A data breach of any size can wreak havoc on an organization’s bottom-line resulting from lost business, legal defense, increases in customer support, notification, and credit monitoring.  Even more extreme, the U.S. National Archives and Records Administration reports that 50% of businesses that lose their critical data for 10 days or more often file for bankruptcy immediately.

In its study of 45 companies that suffered a data breach in 2009, the Ponemon Institute found the total cost of responding to a breach was on average $6.75 million.  According to the study, data breach costs average $204 per lost record, of which $135 is the result of lost business, not including internal resource costs in response to the data breach.  Another similar study by Forrester Research found that data breaches cost an organization between $90 and $305 per exposed record, depending on the public profile of the breach, the regulations that apply to the organization, and the level of experience in dealing with data breaches.

A reputational blunder
It’s hardly a secret that consumers choose products and services that provide them with satisfaction.  Similarly, customers interact with companies that deliver value to them either through quality, differentiation, prestige or cost savings.  No matter the value delivered, however, a data breach swiftly decreases customer loyalty and negatively impacts organizational reputation. In fact, according to the Ponemon Institute, while the average customer “turnover” or “churn” due to a data breach was generally 3.7%, in healthcare it was much higher at 6.0% and in financial services 5.0%.  With general research suggesting that acquiring a new customer can cost up to five times more than keeping current customers, the push to proactively adopt data breach awareness and policies extends past Information Technology and into departments such as Marketing, Sales, and Communications.

Aside from the negative publicity associated with a data breach, the internal effects of such an occurrence are far-reaching, as departments across the organization assume an “all hands on deck” mentality in order to provide breach notification within the mandated 60-day notification period.  Those organizations with data breach response plans are better able to respond to such an occurrence and alleviate potential reputational blunder with documented legislation, contact lists, legal counsel, and contracted third-party experts who can quickly and effectively aid in data breach response efforts.

Navigating the current maze of data breach legislation
Today in the United States, 45 states have disclosure and notification requirements, all of which vary widely depending on the type of personal information lost during a data breach, required notification recipients, remediation documentation, exemptions from disclosure, and penalties for noncompliance.  Most challenging is the fact that these statutes are state-specific, based on customer residency, and not on the location of the affected organization.  Let’s refer back to the TJX example above.  Although Marshall’s was located in Minnesota, the organization was required to provide unique notification letters to all affected individuals on a state-by-state basis. Basically, that meant that the notification letters in Ohio were different from those in California, and so on, depending on the respective state’s statute.  In addition to the state-specific data breach notification statutes, current federal regulations and legislation include:

  • Health Insurance Portability and Accountability Act (HIPAA): Enacted by congress in 1996, this Act set the ground work for national privacy standards related to patient, provider and insurance company records and data.
  • Health Information Technology for Economic and Clinical Health Act (HITECH): Signed into law on February 17, 2009, this Act extends various HIPAA security and privacy requirements and lays the groundwork for increased enforcement.  In a push to increase the use of electronic health records, the Act addresses breach notification requirements, protected health information (PHI) access rights and disclosure restrictions, and penalties and enforcement related to data breach events.  Most importantly, the HITECH Act requires a covered entity to notify each individual as soon as the covered entity discovers or reasonably believes there has been a breach of PHI.  Further, notice is to be provided to individuals without unreasonable delay, and in no case later than 60 calendar days following discovery of the breach.  The time for notification must be calculated beginning on the date that the breach is first discovered, not on the date that that a covered entity has completed an investigation of a possible breach.

Given the potential catastrophic impact of a data breach on an organization, awareness and preparedness are a necessary addition to an organization’s business continuity program.  The ability to quickly and appropriately respond across the organization to a data breach is critical for financial, reputational and regulatory reasons.  As electronic consumer data increases and more transactions are conducted electronically, and as more PII and PHI is maintained by organizations, the need to securely handle that information is no longer important, but necessary.  Business continuity professionals possess the unique tools to build a cross-functional team and a plan to effectively address data breach risk.

To learn more about data breaches and planning approaches for such an event, please refer to the following resources:


Christopher Burton
Avalution Consulting: Business Continuity Consulting

Statistics updated October 14, 2010