In the last six years, the global average cost of a data breach has grown by 12 percent, totaling USD 3.92 million/breach in 2019 according to this year’s Cost of a Data Breach Report released by the Ponemon Institute and IBM Security. Lost business was the biggest contributor to data breach costs, with customer turnover increasing to as much as 3.9 percent in the wake of security incidents.
When it comes to the average total cost of a data breach, the United States had the highest cost at USD 8.19 million/breach, while the Middle East had the highest average number of breached records, 38,800, compared to the global average of 25,575. On the lower end of the scale, India averaged data breach costs of USD 1.83 million/breach and Brazil of USD 1.35 million/breach. Among the different sectors, the healthcare industry had the highest cost per breach, USD 6.45 million, 65 percent more than the average cost of a data breach.
The report also confirmed data breaches take a bigger toll on smaller organizations. Large businesses with more than 25,000 employees average data breach costs of USD 5.11 million or USD 204/employee, whereas companies with 500 to 1000 employees average USD 2.65 million, or USD 3,533/employee. It is no surprise therefore that smaller organizations struggle to recover in the wake of data breaches, with many folding within the first six months after an incident.
The different types of costs of a data breach
Data breach costs can be both direct and indirect. Direct costs refer to the fines companies may incur from national regulatory bodies for noncompliance with data protection legislation, but also the cost of response mechanisms such as detection and notification processes that need to be activated in case of a data breach. Once an incident takes place, company share prices are also likely to drop along with revenue from sales.
Specialized help in the form of cybersecurity consultancy firms to investigate the incident and legal services to address the fallout of a data breach, such as potential lawsuits, are also considered direct costs. Depending on the nature of the breach and the legislation in place, companies may also need to compensate affected customers financially.
Indirect costs are the long term consequences companies may face due to a data breach. As previously shown, data breaches lead to a loss of consumer trust and a higher turnover rate. They also discourage investors and affect long term growth and market share prices. As a company’s reputation declines, it can struggle to maintain its most brilliant employees who prefer working for organizations with a high standing. Meanwhile, insurance costs may also increase as well as the money spent on cybersecurity measures.
The rise of compliance fines
While in 2018, immediately after the General Data Protection Regulation (GDPR) went into force, data protection agencies in Europe decided to give businesses additional breathing room to reach compliance, in 2019, the gloves came off, with the first major GDPR fines being issued to companies across Europe.
In July 2019, the UK’s Information Commissioner’s Office (ICO) fined British Airways approximately 204 million euro, 1.5 percent of its annual turnover, for security failures that led to a breach which affected 500,000 of their customers. Only one day later, another substantial fine of around 110.4 million euro was issued to Marriott International for similar security failures.
France’s CNIL meanwhile went after one of tech’s biggest players, Google, slapping the US giant with a 50 million euro fine for lack of consent on ads. In Germany 75 fines amounting to 449,000 euro have been imposed and in Poland a data brokering company was fined 220,000 euro for failing to inform citizens that their data was being processed.
Long term impact of data breaches
Data breaches impact organizations for years, with one-third of costs occurring more than a year after the incident. The 2019 Cost of a Data Breach Report found that 67 percent of data breach costs were incurred in the first year, 22 percent in the second and 11 percent more than two years after the breach. Highly regulated industries such as healthcare and finance see higher costs in later years with the first year accounting for 53 percent of costs, the second for 32 percent and the third for 16 percent.
As the year draws to a close, it’s becoming clear that the cost of a data breach is increasing the world over as new data protection legislation favouring consumers is adopted and enforced and data subjects become wary of companies that are affected by data breaches. The trend is unlikely to stop in 2020 as the California Consumer Privacy Act will come into effect and the US draws closer to the enactment of a federal data protection law.
Companies need to invest in cybersecurity and data protection strategies before they are faced with the much higher bill and reputational damage a data breach can bring with it. It is also essential that they have a response plan in place in case they suffer a breach. The 2019 Cost of a Data Breach Report showed that organizations that already had an incident response team in place and had extensively tested their response plans saved over USD 1.2 million when they were breached.