If you’ve ever wondered why all the hullabaloo about cyber planning, here is a great example:
Equifax has said that it “owed no duty to safeguard the personal information of millions of consumers and financial institutions” affected by its massive 2017 data breach, and has asked to have the resulting lawsuits dismissed. (Daily Report, 24 July 2018.)
The claims of the affected financial institutions are, in essence, vendor management claims. Their success in court, and the likelihood that those banks can look to Equifax to make whole their losses, may depend in part on how good their contracts were with Equifax. The losses the banks suffered likely include costs of customer relations (phone, email, and other support), continued anti-fraud efforts in the aftermath of the breach, issuance of new cards or accounts or credentials to replace compromised accounts, and other direct costs.
To gain an idea of the scope of the potential loss to the banks, keep in mind that Target settled most of the claims relating to its 2013 data breach, for about $100 million total. Of that money, $10 million went to consumers. $60 -$70 million went to credit card issuers like Visa and MasterCard.
The comparative commercial losses after a massive data breach usually dwarf the losses to consumers personally. Target was breached when an HVAC vendor left open a hole to a single store in the Midwest. Equifax was breached when it failed to install a single routine software patch recommended by its IT vendor.
How good are your contracts with your vendors? Could they make you whole if you were fighting about whose responsibility it was to restore your business operations, buy new computer equipment, replace or rebuild your business data, handle your customer and client relations, pay the PR firm and lawyers, and more? Planning is easy, relatively inexpensive, and can flag many “little” details like standard contractual language. Taken together, these efforts can prevent greater losses later. #CyberForGrowth