Two lessons from this: 1. It’s worth investing in cyber security (a full program, not just shiny security tools); 2. Insurance can make the difference between survival and bankruptcy if/when the worst happens…:
A data breach may cost a company millions in recovery and liability damages, but rarely does a breach force a company into bankruptcy. However, a months-long data breach at American Medical Collection Agency (AMCA) in 2018-2019 did just that, forcing its parent company, Retrieval-Master Creditors Bureau Inc., into Chapter 11 bankruptcy. AMCA has not stated whether it had cyber insurance, but the situation presented by this breach and bankruptcy filing serves as a cautionary tale for those without adequate cyber insurance coverage—or any at all.
The direct costs of the AMCA data breach were substantial. By the time of the bankruptcy filing, it is reported that:
- IT consultant fees had exceeded $400,000;
- Direct mail costs of notifying the seven million affected individuals exceeded $3.8 million; and
- Litigation costs from class action lawsuits, breach of contract claims, and government investigations had the potential to become substantial.
In addition to these direct costs, the use of AMCA’s website functionality was severely limited for normal operations. Further difficulties followed when AMCA experienced the almost immediate termination of its contract with LabCorp and the cessation of all new work from its other large clients. Despite AMCA’s efforts to contain the impact, including reducing its headcount, all these effects combined to lead AMCA’s parent company, Retrieval-Master Creditors Bureau Inc., to file for bankruptcy.