ERIS Privacy ROI

To calculate the privacy return on investment (Privacy ROI) an organization needs to consider costs and likelihood of a breach. The costs can be estimated by using 'Calculating the Cost of a Privacy Breach' section on this page or by using industry experts estimations. According to a Ponemon study the average cost of a breach is $237 per record.

The likelihood of a breach can be calculated by conducting a full privacy self-assessment or by making estimates based on the following factors:

• number of employees
• locations of employees
• number of customers
• quantity of sensitive information collected
• quantity of data transfers
• location of the data (countries)
• quality of the safeguards in place to protect the personal information
• retention periods
• media in which the information is stored
• number of audits/self-assessments conducted
• quantity and quality of 3rd parties processing the data
• maturity of privacy management programs, including the quality of:
  • data handling policies and procedures
  • employee training
  • privacy self-assessments and audits
  • incident tracking and investigation programs
  • breach response protocol
  • data retention and destruction programs and
  • data leakage protection programs.

Privacy ROI is only one component of the total ROI available from ERIS Privacy Breach Insurance. To calculate the total ROI it is best to contact an ERIS advisory.

Download a detailed paper on Privacy Breach Insurance and visit www.execurisk.com.

Calculating the Cost of a Privacy Breach

This section helps organizations assess the costs of a privacy breach.

First-Party/Direct Damages to Business

Losses that a company may incur as a result of harm to itself sustained from a breach include those related to:

• A Response Plan
  • Discovery/detection: costs associated with the detection or discovery of the breach
  • Reporting: costs incurred in reporting the breach to all appropriate internal and regulatory personnel/bodies
  • Notification: costs incurred by the company to notify affected individuals with a letter, telephone call, email, or general notice that personal information was lost or stolen.
• Mitigation/Crisis Management: costs to help victims of the breach obtain information as to how to respond to the breach and minimize harm, including:
  • credit report monitoring
  • reissuance of new cards or accounts
  • call centre and Web site to register complaints, provide information, and monitor activity
  • public relations.
• Restoration/Reconstruction:
  • costs to restore lost or damaged information, including damaged IT systems;
  • changes to internal processes.
• Decline in Revenue: lost business related to loss of trust and confidence by customers, negative reputational effects, and any interruption to business services.

Third-Party Liability

Losses that a company may incur as a result of harm to individuals or entities include the following:

• Compensation to clients or employees for general damages and out-of-pocket costs such as:
  • loss from bank or credit card accounts
  • general damages for inconvenience and violation of privacy rights
  • economic loss arising from time off work spent dealing with the incident
  • compensatory damages for emotional harm, humiliation, or embarrassment
  • costs incurred in gathering information about breached data
  • funds expended in protecting personal information such as changing credit and debit accounts
  • cards and personal identifiers (such as Social Insurance Numbers), monitoring bank
    accounts, and credit card statements.
• Contractual fines/penalties: payment of fines and penalties arising out of a breach of contractually imposed industry-specific privacy standards, such as the Payment Card Industry Data Security Standard.
• Subrogation: compensation to third parties such as downstream businesses or credit card companies that incur losses associated with a breach, including issuing new cards and paying fraud expenses associated with compromised cards, and then claiming reimbursement from the company sustaining the breach.
• Defense: any legal costs incurred in responding to complaints and litigation, including class actions.

Regulatory/Law Enforcement Costs

Companies can expect to sustain losses associated with Canadian regulatory and other law enforcement agencies in connection with an actual or potential privacy breach including:

• Canadian Privacy Commissioner: costs associated with self-reporting breaches, responding to complaints, and defending investigations and proceedings before the commissioner, including:
  • legal defense costs
  • compliance with regulator’s recommendations—including improvement to safety practices and retention of a third-party auditor.
• Federal Court: costs of proceedings associated with appeal of privacy commissioner’s findings, including damage awards for humiliation (with no cap on damage amount), fines, and penalties.
• Criminal Code of Canada:13 costs of defending criminal prosecutions, including legal costs, penal sanctions, and restitution awards.