The cost of dealing with the data breach was prohibitive.
That statement from San Diego-based Impairment Resources, LLC is the most succinct explanation of how a data breach can result in a company’s bankruptcy. Impairment Resources lost detailed medical and personal records of more than 14,000 people following a break-in at its offices in December 2011. The company would have been more fortunate if the thieves had only taken physical assets, but liabilities relating to the loss of electronic medical records were more than the company could absorb. It filed for Chapter 7 liquidation barely three months after the break-in.
Impairment Resources’ experience is not the only example of an organization that was either driven out of business or that suffered substantial losses as a result of a data breach. Consider:
- In 2014, the web hosting and software collaboration company, Code Spaces, shut down its operations after a hacker accessed the company’s networks and deleted data and backups. The hacker launched a distributed denial of service (“DDoS”) attack against the company’s servers and coupled that attack with a data intrusion that deleted data. The hackers made a ransom demand on Code Spaces, which the company did not pay. The company instead opted to end its operations and to work with its remaining customers to recover any data and information that could be recovered.
- The business services company, MyBizHomePage, had been valued at $100 million before it suffered a crippling cyberattack that was purportedly launched by the company’s former chief technology officer, who was though to be looking for revenge against the company after he was fired. The cyberattack wiped out the company’s ability to provide services for its clients, leaving its founder and CEO no choice but to shut the company down and to saddle investors with millions of dollars in losses.
- Although the adult entertainment services company, Ashley Madison, continues to have some operations, its plans for a public offering and its overall business prospects suffered a serious blow following a 2015 data breach that publicized the identities and other information of many of the company’s customers. Following the data breach, the company experienced a decrease in revenues of more than 25{881ed96bc2b3f74deefab0bdd1d9de50ba52fa862f6c49cd106b87e5ad6f8e27}. It is also devoting resources to address a $576 million class action lawsuit that its customers filed, and it cancelled its planned public offering, thus limiting its business prospects and growth potential for many years to come.
Cybersecurity experts will continue to debate the best methodologies to prevent data breaches that lead to these types of business problems. Large companies that have greater financial resources will be able to implement a full slate of recommended measures, but small and midsize companies that are more thinly capitalized will not always have that luxury. At least one study suggests that the strongest protection against data breaches will cost approximately $230 per data record. This cost is prohibitive even for large companies.
Adopting a strong data recovery protocol and procuring data breach coverage are the most cost-effective defenses against the kind of large cyberattack that can drive a company into bankruptcy and force it out of business. If Impairment Resources had procured data breach coverage, for example, it would have had a resource to assist it in handling the costs of the data breach it experienced. Those costs might include direct losses to data and systems that are affected by the breach, third-party liability claims associated with exposure of personal and financial information, internal investigation and analysis costs to determine the extent of the breach, and fines from regulatory agencies that have oversight on the business’s operations.
Most cybersecurity experts agree that it is no longer a matter of “if” a small or midsize business will experience a data breach, but “when” that data breach will happen. Data breach insurance coverage is the last line of defense that can keep a company in business after it experiences a cyberattack.