How Much Would a Cyberattack Cost Your Self Storage Business?
How much would a cyberattack cost your self-storage operation? The answer is more than you might think.
The average cost of a data breach impacting a small to medium-sized business was $149,000 in 2019, according to the National Cybersecurity Alliance. Most businesses incur costs of around $10,000 to recover from a breach, with just under 20% reporting damages over $100,000.
In 2021, IBM determined that the average recovery cost per compromised record was $180. That means if a self-storage facility with 200 tenants has all of their customer information stolen, they’d be looking at a total recovery cost of around $36,000.
Calculating the Cost of a Data Breach
The final cost of a data breach depends on the type and extent of the attack, and the size of the organization. There are direct costs and indirect costs associated with cyberattacks that can continue to accumulate for years after an incident until they are fully realized.
Professional service firm Deloitte has identified 14 different costs associated with cyberattacks, both direct and indirect. It is important to note that the hidden costs are potentially much greater than the direct costs of an attack.
- Technical investigation
- Customer breach notification
- Post-breach consumer protection
- Regulatory compliance
- Public relations
- Attorney fees and litigation
- Cybersecurity improvements
- Insurance premium increases
- Increased cost to raise debt
- Impact of operational disruption or destruction
- Loss value of customer relationships
- Value of lost contract revenue
- Devaluation of trade name
- Loss of intellectual property
In this post we will discuss each of these expenses, both indirect and direct, as it relates to the self-storage industry.
Once a breach has been identified, self-storage businesses should look to hire computer security professionals to conduct a thorough forensic analysis of their network. Investigators will determine how the attack took place, how much personal data was exposed, and if there is an ongoing attempt to infiltrate your network. This process could take several weeks.
- Cost range: $5,000 - $15,000
Following a data breach, you will be required to notify any affected or potentially affected tenants (and employees). Each state, as well as the District of Columbia and Puerto Rico, have passed laws requiring companies to notify customers when personal information is compromised in a data breach. The specific notification requirements vary by location, however most states allow for written or electronic notice (email) to be given.
Even if you can avoid the expense of mailing written notices, you will still have to deal with additional issues associated with building contact lists, compliance monitoring, consulting, and tracking down customers whose email bounces back.
A handful of states, including California, Delaware and Massachuesetts, require companies to provide free credit monitoring to affected customers following a data breach for as long as two years. In Connecticut, monitoring is required if the breached records include social security numbers or TINs. As a face saving measure, some companies may choose to provide free monitoring to affected customers even if there isn’t a legal obligation to do so.
- Cost range: $10 to $30 per month per customer. Two years of credit monitoring for 200 tenants adds up to at least $48,000.
Different industries have different cybersecurity frameworks and regulations. You may have heard of HIPPA for medical records, which imposes specific penalties against companies that have allowed medical records to be compromised. That doesn’t apply to storage operators but there are a couple that do:
- PCI-DSS (Payment Card Industry Data Security Standard): This set of 12 regulations covers companies that handle and store credit card information. Businesses that are not in compliance at the time of a data breach could face fines between $5,000 and $100,000.
- CCPA (California Consumer Privacy Act): This only applies to companies with gross annual revenue above $25 million. If you’re subject to the law, your storage operation faces $7,500 fines for each intentional violation and $2,500 for each unintentional violation. Individual consumers can also sue for between $100 to $750 or actual damages, whichever is greater. Other states have similar laws, and more are underway.
If your storage firm is large enough to warrant it, you might need to hire a public relations pro to help handle the fall out of a data breach. This could be an ongoing process to rebuild trust with consumers in your community.
- Cost range: Small to midsize storage operators can expect to pay around $125 to $250 an hour for a PR firm.
Expect legal costs to skyrocket in the wake of a data breach. Even if you do not face any lawsuits, you’ll likely need legal services to navigate disclosure compliance. If your data breach involves customers in multiple states subject to different jurisdictions, the complexities of compliance go up a great deal.
Actual litigation is rare, with less than 4% of data breach incidents resulting in a lawsuit. Of those, most are settled. Most cases involve a few plaintiffs. Cases with many plaintiffs are typically consolidated into class action suits. Settlement costs vary depending on brand visibility and the number of impacted customers.
- Cost range: The lowest settlement amount in a recent analysis of 150 data breach cases was $50,000. The median settlement amount was $1.6 million.
To prevent another data breach or other attack, you’ll need to immediately invest in cybersecurity improvements. This could involve upgrading your facility websites, hiring full-time IT help, contracting with security firms, instituting cybersecurity training for employees, and expanding the use of antivirus and anti-phishing tools.
The good news is that many property and casualty policies for businesses, and self-storage companies specifically, offer coverage to protect against losses that stem from a data breach. But in many cases, operators can expect your premiums to go up after an incident. Anecdotal research from Deloitte found that business insurance premiums often go up significantly after an incident and coverage could be denied until stringent security procedures are put into place.
Operators may face issues obtaining financing after a data breach. Companies that have experienced a data breach are perceived as higher-risk investments for lenders. This can lead to higher interest rates for borrowing capital.
It is unlikely that a data breach or other cyber attack will completely disrupt a self-storage business to the point that it must cease operations, especially if it has on-site managers in the front office running the day to day. However, there may be situations in which you would have to shutdown your network, email server, or computer terminals for an extended period of time. You may also have to temporarily shutter your website as well until weaknesses are addressed.
This is a big one for the self-storage industry, as it is a business that relies on referrals and long-staying customers. In the immediate aftermath of a data breach, many affected tenants could move out and take their business to another facility that takes security more seriously. Future tenants could also be discouraged from renting from you if the data breach makes the news or is mentioned frequently in online reviews. When you consider the average lifetime value of a self-storage tenant, such a loss is a steep one to swallow.
Since self-storage contracts are month-to-month, this category doesn’t pose as much risk as it does to others. It does pose a major risk, however, for self-storage management companies who rely on contracts with facilities to earn revenue.
This aspect likely only would have a major impact on regional and national self-storage players, but it is a real risk for any victim of a data breach. To determine the impact of this, you would have to have an assessment conducted to determine the value of the trade name before and after the incident. Consider the cost of conducting such an assessment as well.
In a data breach it isn’t just customer records that are stolen, but trade secrets and other proprietary information. In the case of self-storage this is not as much of a concern, but it is possible that cyberthieves could target internal training documents and sales procedures, for example, that could have ramifications down the road.
Avoiding the costs of a data breach
No matter how you slice it, a data breach against your storage operation is going to cost you big time. That is why it is so important to be proactive when it comes to your cybersecurity today. The majority of data breaches are preventable if the right procedures are followed and staff is properly trained to identify fraudulent communications.
Storable uses advanced encryption to protect its award-winning technology products from infiltration, to learn more check out our Product page.
Using Technology to Increase Storage Tenant Insurance Enrollment
How does one get online customers to opt-in to tenant insurance? Learn how technology can help increase tenant insurance enrollment. Keep Reading
Six Ways to Increase Revenue Per Self-Storage Tenant
Average storage prices and occupancy are trending downward. Here are six ways to increase revenue per tenant and protect your bottomline. Keep Reading
Leasing Season Wrap Up: Fundamentals Come Back to Earth
We saw great gains with leasing during COVID but now we are starting to see a return to past trends. Find out what changes we have observed during this recent leasing season. Keep Reading