Why the long-term effects of a data breach on your business can be catastrophic
Billions of personal records are lost or stolen every year, either through cyberattack or simple data mismanagement. In 2018 some of the biggest names in government, technology, healthcare, travel and hospitality suffered data losses.
At the same time, data privacy has never been more important; companies are now subject to intense scrutiny from regulators as to how they handle, store and secure their customers’ personally identifiable information (PII) and data.
The most recent Cost of a Data Breach Study by The Ponemon Institute shows that the cost of a data breach is snowballing, with more records being lost or stolen every year. Here are the stats:
- Average total cost of a data breach: $3.86 million
- Average total one-year cost increase: 6.4 percent
- Average cost per lost or stolen record: $148
- One-year increase in per capita cost: 4.8 percent
- Likelihood of a recurring material breach over the next two years: 27.9 percent
- Average cost savings with an Incident Response team: $14 per record
How can you work out the cost of a data breach?
The cost of a data breach covers detection, escalation, notification, and any activities an organization must undertake following an incident, including working to repair their reputation. Here are the most common outlays following a breach.
- Detection and escalation of a data breach
This is the cost occurred at ground zero – as soon as a breach is detected. Once an organization detects a breach or loss of data, they must report it within a specified time-frame.
For this they may need to implement forensic and investigative activities, assessment and audit services, crisis-team management, as well as communicating the problem to management and the board of directors.
The problem is that data loss can remain undetected for months after the original attack. The Ponemon study shows that the average time taken to identify a breach was 197 days in 2018, and the average time to contain it was 69 days.
However, it can take much longer to locate a data leak – last month it came to light that 42,000 patients in Florida had their personal and health information exposed in a breach that lasted 16 months.
- Post data breach response
These are the costs associated with communicating with individuals affected by the data leak, as well as costs associated with reparation with customers and regulators.
For example, any help desk activities or inbound communications, credit report monitoring and identity protection services, as well as issuing new accounts or credit cards, legal expenses and regulatory fines. (This can come in the form of subsequent legal action – see the Wendy’s data breach, below.)
- Notification costs
Post-breach, organizations must notify the individuals who had their data compromised via email, letters, outbound telephone calls, or by general notice. They also need to as communicate with regulators and perhaps engage outside experts.
It is vital that organizations get this right. Under GDPR, organizations have 72 hours to disclose any data breaches to the relevant authorities, as well as the victim of the breach. The penalty for failing to notify them is €10 million, or two percent of revenues.
In addition to these initial expenses, some of the most dramatic long-term ramifications of a data breach or data leak occur in the weeks, months and even years following an incident.
Lost business following a data leak
Initial costs of lost business might include business disruption and system downtime. However, data breaches will also result in the long-term loss of customers, reputation and goodwill. Forty-one percent of British consumers and 21 percent of US consumers said they will stop spending with a business or brand forever following a data security breach. This type of reputation damage can be difficult to repair.
Ponemon says that organizations that lost less than one percent of their customers due to a data breach saw an average loss of $2.8 million in 2018. If four percent or more was lost, the average lost was $6 million, a difference of $3.2 million.
Data loss also means organizations leave themselves open to legal action. Wendy’s recently settled a $50 million lawsuit after cybercriminals targeted 1,025 of its point-of-sale systems with malware, leading to the loss of massive quantities of payment card data. After a consumer class-action lawsuit which it settled for $3.4 million, Wendy’s agreed to pay out $50 million to compensate affected card issuers for breach-related losses and expenses, such as the cost of reissuing cards and compensating cardholders for fraud losses.
Regulatory penalties following data breaches
Under GDPR, organizations can be fined up to four percent of annual global turnover or €20 million, whichever is greater, if they fail to comply with the regulation.
In the US there are also efforts to introduce data privacy regulations at state level – with the likes of the California Consumer Privacy Act (CCPA) – and at federal level with the US Senate examining how lawmakers can protect consumer privacy.
In real terms, a company can literally lose its value following a data breach. A multi-year study by Comparitech published in 2018 shows that data breaches have an impact on a company’s share price. The study’s authors said that the impact of data breaches “likely diminished over time, but the damage was still visible in the stock’s NASDAQ performance indicator even after three years, in some cases”. The following impacts were recorded.
- Share prices of breached companies hit a low point approximately 14 market days following a breach
- Finance and payment companies saw the largest drop in share price performance following a breach
- Breaches that leak highly sensitive information like credit card information and social security numbers see larger drops in share price performance on average than companies that leak less sensitive info
Third-party problem in data breaches
A reported 59 percent of companies say they have experienced a data breach caused by one of their vendors or third parties. More worryingly, many of these types of breaches go undetected: 22 percent of respondents to a late 2018 survey by Opus and Ponemon admitted they didn’t know if they’d had a third-party data breach in the past 12 months.
Furthermore, only 37 percent indicate they have sufficient resources to manage third-party relationships and only 35 percent rate their third-party risk management program as highly effective.
Considering the wide ecosystem of third party vendors in today’s modern IT environment – particularly those with access to vital business resources like the company website – organizations must have a complete view of which third parties have access to what sensitive data, and how they are using it. Having a formal monitoring and tracking process in place for third parties will protect against potential data leakage and help defend your organization from a costly data breach incident.
How to guard against data breaches
The fact is that no organization that suffers a data breach will escape without either serious long-term financial or reputational damage.
It is therefore impossible to overestimate the importance of securing data, be it corporate or personal, for which you are liable – the potential short and long-term damage you can suffer otherwise is almost incalculable. Marketing security is vital.
Importantly, there is a direct correlation between how quickly an organization can identify and contain data breach incidents and the severity of the financial consequences – companies that contained a breach in less than 30 days saved more than $1 million versus those that took longer.
When it comes to data leaks, prevention is better than a cure; investing in a comprehensive data privacy solution now could save your company millions in lost business and regulatory penalties. Speak to Ensighten about how to gain an insight to your data, any third party vulnerabilities or potential breaches to ensure you maintain regulatory compliance and keep your business up and running.