What’s the Real Cost of a Data Breach?
Updated September 2019
Data breaches are simply a fact of life. Businesses in every industry, in every country, are attacked by data thieves and malicious insiders on a daily basis. As pervasive as they are today, cyber threats will only grow more severe as time goes on—each newly-developed way to communicate or do business online creates new forms of sensitive data that hackers, industrial spies, and state-sponsored operatives are ready to exploit.
Like any other type of widespread theft, data breaches come with a heavy cost. The most recent IBM/Ponemon Institute study calculated the cost of a data breach at $242 per stolen record, and more than $8 million for an average breach in the US. The same study estimated that a typical company has a 29.6 percent chance of experiencing a data breach in the next 24 months, a dramatic increase in the odds from just a few years ago.
Why are data breaches so costly? Because the damage from a breach is never limited to one aspect of a company’s operations. The loss or theft of sensitive information inevitably hurts a company in multiple places, creating liabilities and limitations that can take years to overcome. In fact, the true long-term cost of a breach is almost certainly higher than the Ponemon calculation, because it involves lost opportunities and competitive disadvantages that are impossible to quantify. When evaluating its risks, however, a company should consider each one of the costs it might incur after a data breach.
The most visible cost of a data breach often comes in the form of legal settlements. In recent years, companies including Yahoo, Equifax, and Target have paid out tens or even hundreds of millions of dollars in consumer class action suits and settlements with banks. Individual lawsuits and private settlements, not to mention thousands of hours of attorney time, can push an organization’s total legal costs much higher than the publicized amounts.
Until recently, government penalties were a secondary concern compared to the civil suits that typically follow a data breach. Companies in certain industries—healthcare, for example—could be penalized for failing to protect certain forms of information, but data protection in many other industries was entirely unregulated.
New laws have changed the picture completely. In Europe, thanks to the GDPR (and the UK’s similar Data Protection Act), supervisory authorities have the ability to fine companies as much as 4% of their top-line revenue for failing to protect personal data. And it’s happening—British Airways and Marriott International, for example, were each handed nine-digit fines for their recent breaches.
In the US, New York adopted a first-of-its-kind cybersecurity law that places new obligations on banks, insurance companies, and other financial services firms. California, Colorado, and other states have also jumped on the cybersecurity regulation bandwagon.
The direct costs of a cyber attack might grab more headlines, but the true cost of a data breach goes far beyond a company’s payouts for lawsuits and government fines. Bad publicity and loss of consumer confidence can slow a company’s sales for years. Large corporations may be able to survive a series of bad years in a row, but smaller firms (or those in especially competitive industries) can be forced out of the market in the aftermath of a breach.
If a data breach targets intellectual property rather than customer data, the consequences can be just as severe. The 2011 breach of RSA’s SecureID token codes is a classic example—the company incurred more than $60 million dollars in costs to replace compromised tokens and otherwise mitigate the damage to its signature product.
Along with the consumers whose personal information gets offered up for sale to the highest bidder, a data breach creates a second group of victims as well—the shareholders whose investment portfolios and retirement accounts take a hit as the company’s financial statements bleed from the top and bottom line. A recent study of data breaches in the UK found that a typical company loses about 2 percent of its value after a breach, often costing its shareholders millions. This is one of the reasons that corporate boards are beginning to take a serious interest in their companies’ cybersecurity vulnerabilities.
What You Can Do
It might sound counterintuitive, but the first step in avoiding data breach costs is to accept that no matter how much security you build into your networks and devices, your organization’s security will inevitably be breached. In today’s digital economy, there are simply too many threat vectors and too many opportunities for something to go wrong. Whether the breach starts with a careless employee, a malicious insider, or an external hacker, your company’s sensitive data will eventually find itself in the wrong hands.
Once you’ve accepted that fact, you can rethink your security strategy with the goal of minimizing the adverse effects of a breach. The single most effective way to do that is to protect your information with automated data security and persistent data encryption. When encrypted data is stolen, thieves are unable to access or exploit it, greatly reducing the risk to your reputation and your bottom line. The IBM/Ponemon study, in fact, names encryption and automation as two of the most significant mitigating factors in data breach costs, saving companies millions of dollars on average.
PKWARE’s data protection platform delivers automated, persistent protection that keeps data safe from unauthorized access, even if files or devices are stolen. If your sensitive information is sitting unprotected on user devices, servers, or mainframes, find out how PKWARE can help you avoid the short-term and long-term costs of a data breach.