The Real Cost of a Data Breach: Compliance Penalties are Just the Tip of the Iceberg

July 21, 2019 Security and Compliance, MOVEit

I’ve said it before and I’ll say it again: We are living in the age of the data breach. Now more than ever, our lives are defined by the massive data sets built from our online presence, and now more than ever, they are routinely disrupted when those data sets fall into the wrong hands.

 

 In 2019, data breaches have become so common that many of us have become numb to it. Hell, they’re hardly front-page news. The month long ransomware siege of Baltimore, for example, was hardly a blip on the national news’ radar.

In 2018,  there were over 1200 major data breach incidents, according to the Identity Theft Resource Center, with a total of 446,515,334 records compromised.

The average cost of those breaches? Approximately $3.9 million, according to research from the Ponemon institute.

Now, you wouldn’t be wrong to express some sticker shock at that number, but the truth is, there’s a lot more to the cost of a data breach than financials.

 The total cost of a large data breach can be difficult to calculate. The effects of breaches are wide ranging, impacting many areas of a business—from stock price to consumer trust—and those costs can persist for a long time. For example, do you think anyone will trust the Equifax brand any time soon?

Recovery from a breach can also be a costly process in terms of employee time, outside vendors, and new infrastructure, as well as the costs of mandatory notification to customers.

In this post, we’ll cover the major costs of a data breach—financial and otherwise.

Stock Price: The Immediate Hit

For publicly traded corporations, a hit to their stock price is usually the most immediate and visible cost of a data breach. Typically, in the weeks following a breach, Wall Street does punish businesses who suffer data breaches to the tune of about 3% on average, according to a report from Comparitech. But does the decline in stock price stick? Not always. According to Comparitech, prices usually rebound to catch up with the NASDAQ average in about a month.

Regardless, a 3 percent drop for any length of time is a disruption to growth, and it can be enough to scare off potential investors, or invite questions about a company’s long-term viability.

Compliance Penalties and Legal Costs

In most countries, any company that suffers a data breach is legally responsible for the data lost in that breach, and often there are major financial penalties if an organization is found to be negligent in the wake of a data breach. These can lead to enormous costs, not only in fines and penalties, but in retaining legal counsel. Even if a company is not at all at fault, legal counsel will still be necessary to advise the company, and that doesn’t come cheap.

The European Union’s General Data Protection Regulation (GDPR), for example, can impose penalties of up to €20 million, or four percent of global annual revenue, whichever is larger.

In the worst case, a business could end up paying the maximum fines, and defending itself from shareholder or customer lawsuits for years after a breach.

The Hidden Cost: Loss of Consumer Trust and Reputational Damage

While the costs outline above are somewhat straightforward and quantifiable, there is a deeper cost to a data breach that can have a long-term negative effect on business: the loss of consumer trust.

After every data breach, there is always a certain percentage of customers that will no longer feel safe doing business with the breached company. In fact, according to a study from Gemalto, up to 64% of consumers say they would stop doing business with a company after a data breach occurred. And, when you lose a customer, you not only lose their immediate value, you lose their lifetime value, and the money that it takes to acquire new customers to replace them.

What's more, the reputational damage caused by a highly publicized data breach can make it more difficult to acquire new customers.

An Ounce of Prevention is Worth a Pound of Cure

So, what’s the best way to avoid incurring these tremendous costs? It’s simple: don’t get breached. Easier said than done right? Well, if the statistics provided above prove anything, it’s that any investment in data breach prevention is a worthwhile investment, whether it be intrusion prevention, employee training, encrypting data in transfer or at rest, or improving monitoring systems.

Jeff Edwards

Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.