how much a data breach will cost you – directly and indirectly

for many, it could cost an entire business.

by donny shimamoto
cybersecurity for accountants

as quickly as the irs detects cyber schemes, fraudsters come up with other attack vectors. many are funded by rogue nation-states, so they have more resources available to them than we do.

more: future firm growth requires a mindshift | ai, ocr, nlp & cpas: oh my! | accounting nerds, unlock your super powers | early adopters gain an edge in audit | dustin wheeler: for serious cas success, hire tech teams | csr for cpas: the missing ingredient | donny shimamoto explains how ‘agile’ applies to cpa firms | staff retention for remote workers | why the future is in risk advisory | ready for non-cpa ‘cpa’ firms?
goprocpa.com exclusively for pro members. log in here or 2022世界杯足球排名 today.

however, this doesn’t mean that you can give up and let them run rampant. doing so leaves you vulnerable to litigation in the event of a data breach, and possible business disruption from ransomware.

the bottom line is that the fraudsters have figured out that your firm has a treasure trove of taxpayer information. additionally, they’ve realized that small tax firms aren’t as sophisticated and often don’t have strong cybersecurity measures in place. you must take steps to protect your firm and your clients.

understanding the cost of a data breach

dealing with a data breach includes both direct costs and indirect costs. direct costs include those costs that you incur to investigate the data breach, minimize the consequences of the data breach and assist victims (your clients) in protecting themselves from potential fraud.

sometimes when i present at conferences about the cost of the data breach, the question comes up: “well, i have cyber-liability insurance. won’t that cover everything? do i need to worry about these costs?” the answer is yes. you still need to worry about these costs. the reason for this is that cyber-liability insurance will often cover the direct costs, but it doesn’t cover the indirect costs.

and indirect costs often have a much greater impact – especially for smaller firms.

these include lost time of your staff and yourself in dealing with notifying customers and their resulting inquiries, time spent working with investigators and authorities, time responding to regulators and others who are ensuring the appropriateness of your response to the data breach, and also the potential loss of current and prospective clients. these indirect activities and costs can often be much more disruptive for small firms because firms are already stretched thin in staffing, and now you have to deal with the data breach plus continue normal operations. this is even worse if the data breach is discovered during busy season.

what triggers a data breach?

generally, when there is unauthorized access to personally identifiable information (pii), a data breach is considered to have happened. originally pii was only defined as:

  • a first name or initial, and last name, along with:
    • social security number (ssn)
    • driver’s license number
    • credit or debit card number
    • financial account number with access code (e.g., a bank account number and pin)
  • personal health information (also known as phi)

however, because of the increasing sensitivity of the public to privacy concerns and resulting legislative actions, the following is also often considered to be part of pii, too:

  • taxpayer id number (e.g., state taxpayer identification numbers)
  • irs identity protection pin
  • passport number, military id number or other government id number
  • health insurance policy information
  • biometric information
  • online account credentials

tax practitioners often have access to their client’s tax information, bank account numbers and sometimes other personal information – especially if they are doing full financial planning for clients. so, be sure you understand which of the data you have must be protected and reported on if you have a suspected or actual data breach. yes, these requirements apply even if you only have a suspected data breach, too.

estimating the cost of a data breach

what does it cost to deal with a data breach? according to the 2022 cost of a data breach report from ibm, it’s $164 per record.

the chart above shows you the average cost per record that was involved in a data breach in the u.s. this cost has increased significantly in the last couple of years (over the pandemic), so it is even more important that you take proactive action to prevent a data breach from occurring.

 

you can use this number to estimate your cost of dealing with a data breach. to estimate the impact of a data breach on your firm, count the following:

  • how many clients’ pii do you have? remember that this is not just the number of returns you prepare, but counting each taxpayer on the return. so a joint return for a married couple with two kids would be four records.
  • how many vendors’ or business partners’ pii do you have? originally this segment would only have been at risk if they were a sole proprietor, and you had their ssn. however, with the expanding definition of pii to include business tax identification numbers, you need to include business entities in this count too.
  • how many employees’ pii do you have? while employees are much less likely to sue you in the event of a data breach, you still may be subject to fines and penalties from regulatory agencies if you fail to protect employees’ pii, so include them in the count too.

multiply the sum of the above by $164.

keep in mind the average cost above includes a wide range of organization sizes, so for small and midsized firms, i often recommend multiplying the number by two or three. this is because you won’t have the economies of scale that the larger organizations will have in dealing with these data breaches.

in doing the math, you may realize that a data breach for you or your clients could easily cost no less than the very business that was created and breached in the first place. that in itself is worth going the extra mile to protect.