New York AG Reports that Data Breaches Cost New York Businesses over $1B Last Year
The current headline in data security is a just-released report from the New York Attorney General's Office (the "AG Report") announcing that the number of reported data breaches more than tripled between 2006 and 2013, exposing 22.8 million personal records of New Yorkers. The AG Report reveals that last year's record-breaking exposure of 7.3 million New Yorkers' personal information – with an estimated cost to business of $1.37 billion – was largely due to two sophisticated hacking attacks at Target and Living Social. Troublingly, these "mega-breaches" are a growing trend, with five of the ten largest breaches reported to the New York AG occurring in the past three years.
According to the AG Report, hackers were the primary culprits of data breaches, accounting for over 40% of New York's 4,926 breaches and over 63% of total records exposed. Other leading causes were lost or stolen equipment or documentation (24%), employee error (20%), and insider wrongdoing (10%). The AG Report shows that recurring breaches afflict not only retailers but also companies in financial services, health care, banking and insurance.
While the AG Report highlights the increasing costs of data breaches, it may understate the total price tag. The AG Report estimates a $1.37 billion cost by multiplying the number of records exposed in 2013 (7.3 million) by $188, the average cost of one personal record compromised in the U.S., according to a 2013 global study from Symantec and the Ponemon Institute. But not all breaches are alike – the cause of the breach can have a critical impact on its cost. According to the Symantec-Ponemon study, data breaches caused by hacking attacks in the U.S. imposed a higher than average per-record cost of $277. Records compromised by system glitches and employee mistakes had a relatively low per-record cost, at $174 and $159 respectively. Given that a large portion of New York's reported breaches were caused by hackers and many breaches were not required to be reported under New York law, the cost to business was likely even greater. Moreover, this year's Ponemon Institute study (now sponsored by IBM) on U.S. data breaches points to a trend of rising costs: compared to 2013, the average per-record cost increased from $188 to $201, and the average total cost of a breach rose from $5.4 million to $5.9 million.
Companies can, however, significantly reduce the impact of a breach with enhanced security awareness and planning. Organizations with an incident response plan in place prior to the data breach reduced the average per-record cost by $17. Having a Chief Information Security Officer saved an average of $10 per record. The prime factor was adopting a "strong security posture," which reduced the average per-record cost by $21. A strong security posture includes knowing where sensitive or confidential information is located, securing endpoints to the network, identifying system users before granting access rights to sensitive information, conducting training and awareness programs for system users, conducting independent system audits, timely installing security patches, and complying with privacy laws. Although important to act quickly once a breach is discovered, where the law permits a preliminary investigation, the optimal response may not be immediate disclosure: entities that notified customers before undertaking a thorough assessment or forensic examination incurred an average cost of $15 more per record.
Data breaches impose serious long-term costs to business. In the wake of Target's breach, the retailer reported a 46% decrease in net earnings and suffered a significant drop in stock price. After 77 million PlayStation Network accounts were hacked in 2011, Sony Entertainment lost an estimated $1 billion and saw its stock fall 6%. A recent study from McAfee and the Center for Strategic and International Studies calculated the annual global cost of cybercrime to be more than $400 billion. With the emergence of the "internet of things," it is good business for companies to take cybersecurity more seriously.
Alexander Reid, a summer associate at the Firm, assisted with the preparation of this article.
 - New York State Attorney General Eric T. Schneiderman, "Information Exposed: Historical Examination of Data Breaches in New York State," at 1, available at ag.ny.gov/pdfs/data_breach_report071414.pdf.
 - Id. at 1, 3.
 - Id. at 5.
 - Id. at 4. The AG Report notes that hackers can obtain up to $45 per record on the black market for stolen personal information. Id. at 1.
 - Id. at 4 (figures rounded).
 - A total of 241 institutions reported three or more data breaches to the New York AG since 2006. Of these "multiple breach entities," 54 were retailers, 31 were in financial services, 29 were in health care, 27 were in banking, and 20 were in insurance. Id. at 6.
 - Id. at 11.
 - Ponemon Institute, "2013 Cost of Data Breach Study: Global Analysis," May 2013, at 1, www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf.
 - Id. at 1-2.
 - Id. at 8.
 - See AG Report at 4. New York state law only requires notification to the Attorney General when certain combinations of personally identifying information are disclosed (e.g. a full name and credit card number), so thousands of breaches involving the disclosure of sensitive information went unreported. See New York State General Business § 899-aa; AG Report at 17. This loss estimate also does not account for the economic cost felt by the consumers whose privacy and identities were compromised, such as needing to replace credit cards or having a credit score harmed by an identify thief. AG Report at 17.
 - Ponemon Institute, "2014 Cost of Data Breach Study: United States," May 2014, at 1, ibm.com/services/costofbreach, (follow the "United States" link) ("2014 U.S. Cost of Data Breach Study").
 - Id. at 9 (U.S. figures).
 - Id. (U.S. figures).
 - Id. (U.S. figures).
 - Id. at 9 n.6.; Ponemon Institute, "The True Cost of Compliance" January 2011, at 30, tripwire.com/tripwire/assets/File/ponemon/True_Cost_of_Compliance_Report.pdf.
 - 2014 U.S. Cost of Data Breach Study at 9.
 - Elizabeth Harris, "Data Breach Hurts Profit at Target," N.Y. Times, Feb. 26, 2014, nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html.
 - Juro Osawa, "As Sony Counts Hacking Costs, Analysts See Billion-Dollar Repair Bill," Wall St. J., May 9, 2011, online.wsj.com/news/articles/SB10001424052748703859304576307664174667924; Ian Sherr and Nick Wingfield, "Play by Play: Sony's Struggles on Breach," Wall St. J., May 7, online.wsj.com/news/articles/SB10001424052748704810504576307322759299038.
 - Center for Strategic and International Studies, "Net Losses: Estimating the Global Cost of Cybercrime," June 2014, at 2, mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf?ClickID=c44f4vewzaknainiinxnkxvxiflkaqsepzki.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2014 White & Case LLP