Don’t be just TalkTalk: Cyber Breaches Cost Reputation and a Ton of Money

The British telecom, TalkTalk Group, announced on May 12, 2016 that its pre-tax profits were down significantly due to additional costs (83 million pounds) related to “a breach in October 2015 when hackers apparently stole data on around 4% of customers after a simple SQLi attack.” According to this article, these costs were in addition to charges already ready taken for incident response and consulting in FY 2015, amounting to approximately 42 million pounds.  That brings the current cost of the TalkTalk breach (to date) to approximate 125 million pounds, or approximately $180 million US.  The company’s full quarter press release can be found here.

For those familiar with this story, there were lots of issues relating to this breach. As news and trade reports indicate, there was a lot of initial confusion by the Company on what sort of breach occurred, how and when it occurred, as well as its extent in terms of what customer information might have been stolen. There were apparently other issues that forced the company to re-notice its customers at least twice more, once because it was publicly revealed that employees at one of its outsourcers, Wipro, had been arrested on suspicion of using customer data to commit fraud.

We write here not to find fault and not to second-guess, but to demonstrate the obvious: Cybersecurity breaches can cost A LOT of money to remediate. The customers of those companies who have suffered a breach (whose personal information likely fell into the wrong hands) will also be less than happy, and many times clearly not satisfied with their two years of free credit reporting. This breach calculus is the new normal. Breaches continue daily. Ransomware attacks occur daily. Money gets spent rapidly to remediate breaches on the fly. Ultimately, it is hard to admit, but we are losing ground to cybercrime. And as the bad guys prove daily, they are tricky, resourceful and ever-present.

Many studies and surveys show conclusively that having battle-tested incident response plans, business continuity plans and crisis communications plans can help companies immensely if they find themselves on the wrong end of a cybersecurity breach. There are tricks of the trade for each of these plans, and recommended approaches depending upon what sort of breach is suffered. More importantly there are recommended approaches for when and how to disclose that your company has been breached, all designed to preserve the company’s reputation and customer base as much as possible. The time to draft these cyber security plans, and practice them repeatedly, is obviously before any breach occurs so that the plans can be finely honed and tuned and ready to face whatever attempted breach is thrown up against them. Breach after breach has shown us that companies who stumble, trip and fall over themselves will likely suffer far greater consequences than those companies who appear to be handling them as well as they can be under the circumstances.

Our advice very simply: plan and prepare for the worst, and hope for the best.

Paul Ferrillo is counsel in Weil, Gotshal & Manges Litigation Department.