When calculating the cost of running a business, companies typically tend to analyze factors such as labor cost, operating expenses, marketing and advertising, inventory, insurance, and taxes. Only, what happens when unexpected costs occur, such as a security data breach exposing the customers’ personal data to unauthorized parties? And is it still reasonable to consider such costs as unexpected?
A couple of decades ago, most companies did not perceive the likelihood of suffering a data breach as high, as this was something they only rarely heard of happening to others. However, in today’s digital age, data breaches have become an all too common occurrence for companies of all sizes. Simply put, a data breach is every security incident in which an entity gains access to another entity’s information without authorization. This may include both unintentional breaches (such as when an employee accidentally sends protected data to an incorrect email address) as well as deliberate and financially motivated breaches targeting sensitive data in the company’s possession.
This can lead to significant costs for companies that fall victim to these breaches.
Based on the report from IBM Security, in 2022 the companies spent a whopping 4.4 million dollars on average for handling a single data breach, which is a 2.6% increase from the previous year and a 13% jump since 2020. The shocking amount was calculated in IBM’s yearly report, where data breaches experienced by 550 organizations around the world were analyzed. It also seems this increasing trend will continue, as Acronis, a global leader in cyber protection, speculates that the figure might reach 5 million dollars in 2023.
Of course, not all industries are equally affected – the costliest data breaches are the ones hitting the healthcare, pharmaceutical, retail, financial, and energy sectors. Together with the tech sector, these industries are also the ones most often targeted by ransomware attackers, where the average ransom payout has now reached more than 258,000 dollars, according to BlackFog’s report The State of Ransomware in 2022.
Now, 4.4 million US dollars does not just come out of nowhere all at once. Unfortunately, paying the ransom is often just the beginning, as in many cases the recovery projects cost more than the original ransom itself. This figure partly consists of direct financial costs the companies face when investigating, containing, and repairing a breach, including notifications made to authorities and customers, paying the regulatory fines imposed, as well as legal fees, compensations, and settlements resulting from customer lawsuits.
As a recent example, T-Mobile has agreed to a 555 million dollar settlement (350 million in compensation and 150 million to invest in improving its data security), in a class action lawsuit filed by its customers, over a data breach where personal information of more than 76 million people was exposed.
In addition, there are also downtime costs associated with the disruption to business operations that can result from a data breach. When a company’s systems are compromised, it may have to shut down operations temporarily to investigate and fix the issue. This can lead to lost productivity and revenue, as well as increased costs associated with getting systems back up and running. According to Statista, the average company experiences almost three weeks of downtime when successfully targeted by a ransomware incident.
Reputational costs are also particularly hard to swallow – when a company’s customers’ data is breached, they may lose trust in the company and choose to take their business elsewhere. This can result in a decline in revenue and market share, as well as a tarnished reputation that can be difficult to repair.
The costs of data breaches can also include indirect costs such as the loss of intellectual property or trade secrets. A breach can expose valuable information about a company’s products or services, giving competitors an unfair advantage, which can ultimately lead to lost revenue and market share.
What happens when a company comes across such high costs? It often passes them onto customers by increasing the prices of goods and services, which over half of the businesses in IBM’s report admitted to doing. This effectively turns into a vicious cycle of further costs generated from the decrease in sales, since many customers simply do not wish or cannot afford the increased prices.
When the risk of such detrimental effects can be mitigated by businesses simply investing into preventive measures beforehand (some of which are not even that expensive, such as implementing basic privacy policies and procedures), one might pose a question as to why this is not yet standard practice. Perhaps because the actual costs to be borne now seem less attractive than the potential costs that may come into play in the future if the data breach occurs at all. It seems to be a bit of a gambling issue: the companies refrain from investing into preventive measures, betting they will not suffer a data breach in the end, and hoping to save the prevention money they would otherwise spend in vain.
If there is one certainty in gambling, it is that the house always wins. Same as with casinos, these days it is not if but when a data breach will happen, making this a poor bet. Therefore, though it might appear expensive to invest in preventive measures, that is just a fraction of the money it can – and likely will – save a business down the line.
It is therefore critical for companies to regulate their internal privacy procedures and invest in strong cybersecurity measures, so as to be prepared to respond quickly and effectively in the event of a breach. Matters such as where the data is stored, how it is encrypted, and who has access to it have a huge impact on data security and the company’s business in general. Regulating this can help mitigate the costs of a breach and protect the long-term viability of the business.
Although data protection lawyers prefer advising clients on data protection policies upfront, you can also count on us being happy to assist with filing data breach notifications and picking-up pieces after the breach occurs. You can safely bet on that if gambling is indeed your thing.
By Goran Radosevic, Partner, Karanovic & Partners