If you’re a small business you’re probably following the Target fiasco closely and trying to figure out how this will impact your organization.
While data breaches at giant retailers like Target and TJ Maxx grab the spotlight, it’s just as realistic a scenario for small businesses – and the attacks at that level can prove far more devastating. Experts say small business owners who don’t make protecting customers’ personal information a top priority could soon find themselves out of operation.
“I don’t know how small and medium-sized businesses can survive something of that magnitude,” Will Pelgrin, president and CEO for the Center for Internet Security, told Business News Daily.
Jefff Kosc, a partner with the law firm Benesch, Friedlander, Coplan& Aronoff LLP, said businesses that compromise customers’ personal data, such as credit card and Social Security numbers, face a multitude of costs, not all of which have an exact dollar amount attached.
One of the largest costs comes from the credit and debit card companies, which, Kosc said, have broad powers and rights in data breach situations, especially if it was discovered that the business wasn’t complying with payment card industry (PCI) regulations. PCI regulations govern the specific security measures that must be adhered to by businesses that accept credit and debit cards.
“If there is a breach of PCI, they have rights to level fines on merchants,” Kosc said of the credit and debit card companies. “They are also entitled under those agreements to chargeback any fraudulent charges that take place on anyone’s card as a result of the data breach.”
In addition to paying back the credit card companies, businesses incur costs associated with alerting consumers of the breach, paying for their credit monitoring services, investigating how the breach occurred and taking additional steps to ensure it doesn’t happen again.
Recent research from the Ponemon Institute and Symantec estimates that it costs businesses $188 per record lost.
Kosc said many businesses in these situations also face a loss in productivity because employees are more focused on cleaning up the mess than they are on normal day-to-day responsibilities.
“You are pulling everyone away from their regular job duties to deal with a data breach,” he said.
Depending on the scope of the breach, Kosc said businesses also face potential fines from the Federal Trade Commission. He pointed to TJ Maxx as an example, which was forced to pay out more than $9 million in fines to more than 40 different attorneys general following its breach in 2007.
In addition to the hard costs, businesses also suffer potentially priceless damage to their reputation and trust.
“There is a community of people who have a trusted relationship with you and that can be jeopardized,” Pelgrin said. “How you recover from all of that can be very difficult.”