Fallout: The Consequences of a Data Breach
Many organizations collect sensitive data and are responsible for appropriately protecting it. With new regulations like the EU’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the definitions of personal data have been greatly expanded, and the financial impacts of a data breach for an organization are significant. Under GDPR, it can be the greater of 4 million Euros or 4% of global turnover per breach and the CCPA can fine up to $7,500 per breached record.
Business Impacts of a Data Breach
While the financial impacts of a data breach are significant and obvious, they’re not the only ways that a data breach can impact a company. These other impacts include legal repercussions, impacts on productivity, and reputational damage and can be equally or more damaging to the company than the financial impacts associated with regulatory penalties.
Financial impacts are the most obvious ways in which a data breach can impact a company. Most privacy regulations (like GDPR and CCPA) intentionally impose significant penalties on a company in order to incentivize organizations to proactively take action to protect their sensitive data. In many cases, it’s cheaper to take the steps to secure sensitive data before a breach (since there is less of a rush) than after the fact.
The financial impacts of a data breach aren’t limited to regulatory penalties. Many of these regulations require notification of affected parties, often companies need to provide credit monitoring services to affected customers, and breaches often require hiring third-party incident response teams to perform investigative and remediation tasks if the necessary skills are not available in-house. All of these can cost serious money. According to IBM, the average total cost of a data breach is $3.85 million.
Legal implications of a data breach can be complicated. Regulations like the GDPR reserve the right for regulatory bodies to levy civil and criminal charges against the organization for negligence that did or could result in a data breach. Dealing with these legal charges could have financial implications as well as, harming the businesses’ reputation, productivity, ability to operate, etc.
Depending on the details of the breach, organizations may also be subject to lawsuits by affected parties. More than one organization has been the defendant in a class action lawsuit brought by customers who were affected by the breach and are demanding restitution.
One often overlooked impact of a data breach is the loss of productivity among employees. At a minimum, a data breach will cause a large number of IT employees to be taken off of their standard jobs of protecting the network in order to perform incident response, remediation, etc. This can also cause cascading issues since these employees are not available to do their normal jobs of protecting against new attacks, performing helpdesk duties, etc.
Data breaches can also have impacts on the legal, media, financial, and other departments that are drawn into the process of performing damage control. Not to mention customer service employees getting the angry phone calls from clients.
Failing to protect customers’ personal data can also have a significant impact on a company’s reputation. While many consumers may not be consciously making the decision to trust a company with their personal information when they create an account with a given service, they typically are extremely offended when they find out that, not only was a company collecting their personal data, they also didn’t take the necessary steps to protect their collection.
In October 2018, a study was published that measured how a data breach can affect an organization’s ability to retain customers. Of the 2,000 adult consumers who participated in the survey, 81% said that they would not do business with an organization in the months after a breach and 21% said that they would leave permanently.
Losing 81% percent of a quarter’s profits could be devastating to some businesses, and a quarter of that loss could be permanent. The fact that Facebook still exists demonstrates that not every consumer follows through on the threat to leave after a breach, but the potential still exists. And this threat is not limited to companies that actually have a breach. 45% of consumers in the same study said even the appearance of failing to secure data is enough to get them to limit their spending with the company and 26% will cease spending entirely.
Managing Data Breach Impacts
The best way to deal with a data breach is to never have one. Ideally, an organization’s cyber defenses would be strong enough to repel any possible attacks. Realistically, every organization has vulnerabilities in their cyber defenses that may be identified and exploited by an attacker. With limited resources, an organization needs to focus their attention on the aspects of their cybersecurity strategy most likely to provide a positive impact. When trying to prevent data breaches, a focus on the data security strategy is in order.
Every organization that collects, processes, stores, or transmits sensitive data (especially customers’ personal information) should have a data security solution in-place for monitoring this data. A good data security solution should have the ability to identify data repositories and track access to them. If a user is exhibiting anomalous or risky behavior, an alert should be generated.
Dealing with Breaches
Data breaches are annoying, but the increasing number of them seems to indicate that they’re here to stay. When performing cost-benefit analyses and analyzing potential protections against data breaches, it’s important to consider all potential costs of a breach. In most situations, taking the time to make the right investments now can save a lot in the long run.