Logo of TRICARE, the health care plan for the ...
Image via Wikipedia

Reading about another large data breach had me thinking about the non-technical side of a data breach.

In these current times it is impossible to avoid the stories of data breaches because the press and blogs spin into gear almost immediately.

Coming from the IT Security industry, I always think about the “normal” costs:-

  • The cost of forensics
  • The cost of the improved security, which may involve new solutions
  • The inevitable cost of training staff to understand and manage the new and improved security solutions
  • Then there is the compliance costs, the fines, the legal actions, credit monitoring, etc

However, when I saw that Tricare, who had lost 4.9 million records, is going to POST out a notification to all those affected by their data breach I started to consider the “other” costs.

  • 4.9 million Database consolidations and data merging in readiness for the mailing
  • 4.9 million Address labels
  • 4.9 million Envelopes
  • 4.9 million Letters
  • 4.9 million Folds, inserts and sealings by machine or individual
  • 4.9 million Stamps or franks. For Tricare the affected ex-patients will be spread across the whole of America, with thousands out of the country. Even with bulk mailing discounts that is one very very large bill.
  • Then there is the helpdesk to deal with hundreds of thousand of calls from concerned individuals affected by the breach.
  • There will be other costs but this is a quick summary

All together that will be millions of dollars in direct costs, paper, postage etc and probably millions in in-direct costs with staff tied up for weeks preparing the mail shot and then handling all the inbound and outbound calls resulting from the mail shot.

These “other” costs will be many multiples the cost of encryption and retraining required to close the door.

According to Tricare, the risk of the data’s misuse remains low. “Reading the tapes takes special machinery. Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low,” their press release states.

The risk may be low but the costs are high. A real important lesson to anyone storing Personally Identifiable Information (PII).

The information, contained on backup tapes of electronic health records, was stolen from the car of an employee of Science Applications International Corp (SAIC). The employee was transporting the tapes between federal facilities. The data was partially encrypted, a spokesman said… “partially”…