Takeaways for Digital Health Industry from New Study on Costs of Data Breach

If you are a digital health provider, then your company has likely had occasion to negotiate indemnification clauses relating to data breaches.  Moreover, your company has probably had to provide warranties around data security or employee bad acts that would provide some protections to your customers in the event of a data breach.

But have you ever taken the time to really consider what the cost of a possible data breach might actually be for your company?

Network World recently published an article looking at the results of a 2016 data breach study conducted by the Ponemon Institute and IBM and determined that the total average cost for a breach is now $7 million, and that average cost per compromised record is now $221.  Network World further reported that the same study concluded that the average cost of a data breach of more than 50,000 records was $13 million.

Obviously, these costs are significant enough that unlimited liability indemnifications relating to data breaches have the potential to generate significant expenses, as do actions for breaches of warranties relating to data security.

So, what can software companies do to protect themselves against data breach liabilities?

First and foremost, companies need to take data security seriously and enact policies and procedures that prioritize data protection.

Second of all, companies need to carefully negotiate clauses related to cyberrisk and cyberliability with the expectation that a data breach will occur that is going to trigger the application of all such clauses down the road.  In particular, if you agree to take on unlimited liability of all costs related to a data breach, you need to be prepared to cover the expected costs that will arise from any such data breach.    Similarly, in negotiated services contracts, companies need to take the time to carefully define the full scope of services they provide with respect to data protection and data security in such a way that a data breach will not constitute a material breach so long as the services are fully performed in accordance with the defined scope of services.

Third of all, companies need to purchase cyberinsurance in order to ensure that they have sufficient coverage in the event of a data breach.  While cyberinsurance is a relatively new insurance product which has in the past often had many gaps in coverage, Tech Republic suggested in an article published today that the newer policies are starting to close some of the earlier policy gaps to coverage.  However, Tech Republic reported that companies should still watch for coverage limits in cyberinsurance policies for regulatory actions, cost of call monitoring, credit monitoring, forensic investigations, hacks that began prior to the coverage term, and attacks that have third party consequences.

The bottom line is that software companies need to have contractual and insurance protections in place to protect the businesses against the consequences of the inevitable data breach that affects their business.  With data breaches as well as costs on the rise, companies of all sizes need to be prepared to deal with the fallout of a cyberbreach when it occurs.