What's the Real Cost of a Data Breach?
Data breaches are simply a fact of life. Businesses in every industry, in every country, are attacked by data thieves and malicious insiders on a daily basis. As pervasive as they are today, cyber threats will only grow more severe as time goes on—each newly-developed way to communicate or do business online creates new forms of sensitive data that hackers, industrial spies, and state-sponsored operatives are ready to exploit.
Like any other widespread form of theft, data breaches come with a heavy cost. Last year, a Ponemon Institute study calculated the cost of a data breach at nearly $160 per stolen record, or $4 million for an average breach. The same study estimated that a typical company has a 26% chance of experiencing a 10,000+ record data breach in the next 24 months. Put another way, one in four companies will lose $1.5 million or more on a data breach over the next two years.
Why are data breaches so costly? Because the damage from a breach is never limited to one aspect of a company’s operations. The loss or theft of sensitive information inevitably hurts a company in multiple places, creating liabilities and limitations that can take years to overcome. In fact, the true long-term cost of a breach is almost certainly higher than the Ponemon calculation, because it involves lost opportunities and competitive disadvantages that are impossible to quantify. When evaluating its risks, however, a company should consider each one of the costs it might incur after a data breach.
The most visible cost of a data breach often comes in the form of legal settlements. In recent years, companies including Target, Home Depot, and Neiman Marcus have paid out tens of millions of dollars in consumer class action suits and settlements with banks. Individual lawsuits and private settlements, not to mention thousands of hours of attorney time, can push an organization’s total legal costs much higher than the publicized amounts.
Until recently, government penalties were a secondary concern compared to the civil suits that typically follow a data breach. Companies in certain industries—healthcare, for example—could be penalized for failing to protect certain forms of information, but information security in many other industries was entirely unregulated.
Two new laws are beginning to change the picture. In Europe, the General Data Protection Regulation (GDPR) will give supervisory authorities the ability to fine companies as much as 4% of their top-line revenue for failing to protect the personal data of EU citizens. In the US, New York adopted a first-of-its-kind cybersecurity law that places new obligations on banks, insurance companies, and other financial services firms. Other jurisdictions are also considering new cybersecurity laws, raising the possibility that future data breaches will carry heavy regulatory price tags.
The direct costs of a cyber attack might grab more headlines, but the true cost of a data breach goes far beyond a company’s payouts for lawsuits and government fines. Bad publicity and loss of consumer confidence can slow a company’s sales for years. Large corporations may be able to survive a series of bad years in a row, but smaller firms (or those in especially competitive industries) can be forced out of the market in the aftermath of a breach.
If a data breach targets intellectual property rather than customer data, the consequences can be just as severe. The 2011 breach of RSA’s SecureID token codes is a classic example—the company incurred more than $60 million dollars in costs to replace compromised tokens and otherwise mitigate the damage to its signature product.
Along with the consumers whose personal information gets offered up for sale to the highest bidder, a data breach creates a second group of victims as well—the shareholders whose investment portfolios and retirement accounts take a hit as the company’s financial statements bleed from the top and bottom line. A recent study of data breaches in the UK found that a typical company loses about 2% of its value after a breach, often costing its shareholders millions. This is one of the reasons that corporate boards are beginning to take a serious interest in their companies’ cybersecurity vulnerabilities.
What You Can Do
It might sound counterintuitive, but the first step in avoiding data breach costs is to accept that no matter how much security you build into your networks and devices, your organization’s security will inevitably be breached. In today’s digital economy, there are simply too many threat vectors and too many opportunities for something to go wrong. Whether the breach starts with a careless employee, a malicious insider, or an external hacker, your company’s sensitive data will eventually find itself in the wrong hands.
Once you’ve accepted that fact, you can rethink your security strategy with the goal of minimizing the adverse effects of a breach. The single most effective way to do that is to protect your information with strong encryption that stays with data at rest and in motion. When encrypted data is stolen, thieves are unable to access or exploit it, so there’s far less risk to your reputation and your bottom line.
PKWARE’s data protection platform delivers persistent protection that keeps data safe from unauthorized access, even if files or devices are stolen. If your sensitive information is sitting unprotected on user devices, servers, or mainframes, find out how PKWARE can lock down your data and help you avoid the short-term and long-term costs of a data breach.