The Hidden Costs of a Data Breach

The Growing Threat of Breaches

Companies are collecting and storing ever-increasing amounts of customer’s personal data. While some organizations are doing so to perform mass-scale data mining, the average business is collecting data simply to perform their core business practices. It’s pretty difficult to keep track of a user’s account without an email address or send a parcel without a shipping address.

Unfortunately, the troves of sensitive data that companies are collecting are a major target for hackers. An individual’s personal data can be used for a variety of malicious purposes (identity theft, spear phishing, and blackmail to name a few), so this information can fetch a pretty good price on the black market. The collections of sensitive data held by businesses are a treasure trove to any hacker who can access them.

As a result, data breaches are becoming increasingly common. In 2018, 5 billion records (or individual customers’ data collected by a business) were stolen by hackers. Since the cost of a data breach to the organization is often proportional to the number of records stolen, the impact of these breaches on the global economy is significant.

Hidden Costs of Data Breaches

Data breaches are expensive for the attacked organization. Some costs are directly related to managing the impacts of the breach (investigating the incident, paying fines, etc.), while some are more indirect. In 2019, a data breach costs a company an average of $8.19 million. These costs are spread over a variety of different impacts.

Investigation and Remediation

After a data breach has occurred, the organization needs to perform an investigation to determine the scope of the breach and remove any traces of the attacker from the network. This can be a complicated and expensive proposition since:

1. Many organizations don’t have the expertise in-house to investigate.
2. Attackers cover their tracks to make investigation more difficult.

Once the incident investigation has been completed, the organization needs to pay the costs of remediation. This not only includes the price of implementing all of the cybersecurity protections that were lacking in the first place (allowing the breach to occur) but also the price of fixing any damage caused by the attacker while they had access to the system. The need to perform these investigations and mitigations quickly can also add to the price tag.

Reputational Damage

One of the hardest costs of a breach to quantify is the damage to an organization’s reputation after a breach. Their customers have trusted them to properly protect the sensitive data entrusted to them and the organization has failed to do so. After a breach, an organization has to endure numerous news reports and articles dissecting what they did wrong and how their security processes were inadequate.

A great example of the impact of reputational damage to a company due to a breach is the general feelings of the American public towards Equifax. The Equifax breach was over a year ago, yet people are still annoyed with the company. The Equifax breach may be an extreme case since no-one gave their data directly to Equifax (so they’re not happy with it being lost) and the breach was caused by gross negligence by the company (failure to patch a vulnerability that was being actively exploited for months before the breach), but the current ill feelings toward the company demonstrate how an organization’s reputation can suffer after a breach.

Compliance Reporting and Penalties

In recent years, governments have been increasingly focused on protecting the personal data of their constituents. The EU’s General Data Protection Regulation (GDPR) is the most famous of these, but a variety of different nations and states have passed data privacy regulations to protect their citizens. These new regulations and standards are in addition to those already in effect, including PCI DSS, HIPAA, FISMA, SOX, and others.

As a result, the average organization may be required to achieve, maintain, and demonstrate compliance with several different regulations. In the event of a breach, this involves determining if the breach is reportable, whom to report it to, and how the report needs to be performed. Once a report is filed, the organization needs to cooperate with regulators and may be fined for negligence as a result of the breach. The manpower and fines associated with this can dramatically increase the cost of a breach. British Airways was fined $230 million by GDPR regulators for a 2018 data breach.

Notification and Compensations

After a data breach has occurred, the breach organization may be compelled to notify affected parties and provide compensation. While commonly these notifications are performed by email and have minimal cost to the organization, determining who needs to be notified can require significant effort.

Compensation costs can also be significant to an organization. Commonly breached businesses offer identity monitoring, but it is not uncommon for affected parties to file lawsuits against the organization for damages. The costs of litigation, settling, and/or any damages can be a significant cost to the organization.

Loss of Future Revenue

The impacts of a breach in terms of lost future revenue are difficult to determine. Multiple surveys have found that as many as 70% of customers will stop buying from a company after a breach. However, the fact that the #deletefacebook movement fizzled despite all of the missteps that Facebook has made regarding properly using and protecting customer data demonstrates that this may not be the case. If customers have no viable alternative, they may stick with a breached company, but many organizations will see a drop off in sales after reporting a breach.

Protecting Against a Breach

The simplest way to prevent data breaches is to ensure that the organization’s defenses are never breached by a hacker. However, this expectation is unrealistic. Every company is likely to suffer at least one successful cyberattack, and most companies will be the victim of several.

Protecting against data breaches requires ensuring that, even if a hacker can breach the organization’s defenses, that they can’t steal any valuable data. The best way to accomplish this is by encrypting data at rest.