Chapter § 9.02 Costs of a Data Breach13

JurisdictionUnited States
Publication year2020

§ 9.02 Costs of a Data Breach13

“Cyber attacks have become so frequent that it is no longer a matter of whether [law] firms will be the victim of a cyber attack, but a question of when and to what extent.”14 The costs of these attacks and the number of records exposed in them are steadily increasing each year. According to the Ponemon Institute’s 2018 Cost of a Data Breach Study, the average total cost of a material data breach increased year over year from $3.62 to $3.86 million (about 6.4%); the average cost per lost record rose from $141 to $148 (about 4.8%); and the average size of data breaches increased by 2.2%.15 Moreover, the average total cost of a substantive breach in the United States has reached $7.91 million.16 Below, we discuss the elements of these costs and ways to mitigate them and instances where firms have been sued by clients for legal malpractice following a breach.

[1] Elements of the Costs of a Data Breach

As one might expect, law firms that have fallen victim to cyber attacks report business interruption losses, loss of billable hours, remediation costs, replacement costs for hardware and software, and loss of critical information, on top of reputational harm and a loss of the client trust.17 There are other costs, however, that may not be so plain. Data breach costs broadly fall within one of five categories: detection and escalation, notification, post-data-breach response, lost business, and direct and indirect. More specifically:

• Detection and escalation costs include forensic investigation, assessment and audit services, crisis team management, and communications to executives and the board of directors.
• Notification costs can comprise creating contact databases, determining regulatory requirements, engaging outside experts, postal expenses, email bounce backs, and internal or external communication platforms.
• Post-data breach costs include help desk activities, inbound communications, legal expenses, product discounts, reestablishing financial accounts and making new payment cards, and regulatory interventions.
• Lost business includes many of the reported harms mentioned above, such as customer attrition, increased customer acquisition activities, reputational losses, and lost goodwill.
• Direct costs consist of money spent to accomplish such activities as engaging forensic experts, hiring law firms, or offering customers identity theft protection, and indirect costs include the allocation of resources, such as
...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT