The Hard Realities of a Cyber Event

Company profile: construction company with offices nationwide

A national construction company used a third-party cloud service provider to store their customers’ personal information. The cloud provider suffered a major data breach, compromising the Personally Identifiable Information belonging to thousands of the construction company’s customers in several states. As the owner of the data, the construction company had a legal obligation to provide an adequate and timely notice. The Attorneys General in several states instigated a regulatory investigation against the Company to determine whether they responded appropriately to the breach in accordance with various state laws. As the construction company did not have a document retention procedure and stored far more data than was required, the Company was obligated to notify over 10,000 past and present customers that their company’s data had been compromised. In addition they had to pay defense costs associated with defending the regulatory investigation.

According to the NetDiligence^® Data Breach Cost Calculator* the estimated costs for this event for the construction company could be:

An average event of this type could drive the average costs up to $1,860,000 for a business.

Risk Management Tips:

• Know where confidential information is stored, whether internally or with a vendor.
• Understand vendor’s network security controls and any contract language involving data liability.
• Have a document retention procedure in place to only store information that is necessary.

*The NetDiligence^® Data Breach Cost Calculator and other tools are available to insureds on the Travelers’ eRisk Hub^®. eRisk Hub is a registered trademark of NetDiligence.

Company profile: a clothing and accessories manufacturer

A clothing and accessories manufacturer with an online ordering system that supports 50% of their revenue suffered a data breach. The FBI notified the company that a hacker they had arrested had the credit card numbers of 500,000 of the company’s customers in his possession. After hiring a forensic investigator it was determined that the cybercriminal had compromised the online shopping carts over a 6 month period of time. The hacker was able to steal names, addresses, credit card numbers, expiration dates, card security codes and email addresses.

The Payment Card Industry Agreement required the manufacturer to hire a certified forensic investigator to examine the Company’s systems and related infrastructure. The Company incurred significant costs as they had to notify the affected customers as required by state law and they offered one year of free credit monitoring. The Company hired a public relations firm to maintain customer confidence and limit reputational damage. The Company was also subject to regulatory fines and penalties.  

According to the NetDiligence^® Data Breach Cost Calculator* the estimated costs for the manufacturer could be:

An average event of this type could costs up to $2,426,000 for a business.

Risk Management Tips:

• Maintain and frequently review compliance obligations under the Payment Card Industry (PCI) Agreement.
• Consider implementing end-to-end encryption of credit card transactions.
• Employ a chief information security officer (CISO) to develop and implement your business-wide data privacy procedures.

*The NetDiligence^® Data Breach Cost Calculator and other tools are available to insureds on the Travelers’ eRisk Hub^®. eRisk Hub is a registered trademark of NetDiligence.

Company profile: medical group

An employee of a medical group opened a phishing e-mail that infiltrated their centralized network. Anti-virus software failed to keep out the malicious code, exposing names, addresses, dates-of-birth, medical record numbers, medication, dates of service and diagnoses of 1200 patients. A computer forensics investigator was hired, who determined that PHI (protected health information) had been compromised. The medical group notified the affected individuals and hired a public relations firm in anticipation of bad publicity. Thereafter, The Office for Civil Rights launched an investigation and the medical group was fined as a result of a HIPAA violation for having unsecured access to the network.

According to the NetDiligence^® Data Breach Cost Calculator* the estimated costs for this event for the medical group could be:

Company profile: national nonprofit food bank

A metropolitan food bank service experienced a cybersecurity breach that resulted in the inadvertent disclosure of more than 10,000 donors’ personal information. Due to malware on their website server the unauthorized individual was able to gain access to donor information over a three year period. The personal information included names, addresses, emails, credit and debit card numbers, security codes and expiration dates.

Computer forensic experts were retained to assist with the investigation. Corrective measures were taken including changing all passwords, implementing additional monitoring and reviewing the food bank’s policies and procedures to ensure that all information was appropriately protected moving forward. In addition, due to the various state laws that had been implicated, the food bank was required to notify all affected donors and provide identity protection and credit monitoring for a one year period.

According to the NetDiligence^® Data Breach Cost Calculator* the estimated costs for this event for the food bank could be:

An average event of this type could drive the average costs up to $1,728,000 for a business.

Risk Management Tips:

• Encrypt data at rest on network server.
• Implement more frequent vulnerability assessments and penetration tests.
• Create, implement and test an incident response plan.

*The NetDiligence® Data Breach Cost Calculator and other tools are available to insureds on the Travelers’ eRisk Hub®. eRisk Hub is a registered trademark of NetDiligence.