We have all read the headlines and know that data breaches are costly incidents for businesses and organizations to deal with.
And GDPR has been ‘done to death’ with the headlines warning about potential fines of up to €20 million or 4 per cent of a company’s global revenue once the EU General Data Protection regulation comes into force next May.
However, the true cost of a data breach is much greater, and is something that is neither widely discussed or documented.
According to the 12th annual Cost of Data Breach Study, carried out by IBM’s Ponemon Institute, the average total cost of a data breach in the UK in 2017 is £2.48 million, with the average cost per lost or stolen record £98.
But looking at average costs is never going to really give an informative picture as to what a data breach would mean for your company and, where personal data is lost, those affected.
We hear a lot about reputational cost of a data breach, with the accompanying publicity purportedly considered potentially more damaging than any monetary penalty, especially in terms of consumer confidence. But with high profile data breaches happening pretty much every week it is fast becoming the norm and consumers are fast becoming ambivalent.
One wonders if the old adage of ‘no publicity is bad publicity’ is becoming relevant. It certainly seems that way at the enterprise level.
Preventing and surviving a data breach are two different beasts. Surviving a data breach means effectively anticipating it before it happens and, I can already hear the groans at the dreaded policy building, but putting a disaster recovery policy in place that really details what to do in the event of a data breach is the key to survival.
When the inevitable happens, having the machinery already in place to deal with the fallout could mean the difference between survival and bankruptcy, especially for smaller companies. I will leave prevention for another blog.
The process for building a data breach disaster recovery policy is relatively simple; it’s about anticipating requirements.
Meeting the relevant obligations in terms of regulation is a good starting point. Finding out how a breach occurred can mean hiring an external forensic investigator or at the very least allocating in-house staff resources.
Then you should establish who was affected by the breach and seek legal advice as to your obligations to those affected; which may mean factoring in credit monitoring services for consumers.
You must know what laws apply to the breach, identify who must be notified and how soon you need to act. Document the process and timeline and factor in the costs of notifying any individuals affected. This could be directly by mail or email and through other media outlets. Depending on your size you might need to factor in a call centre as large volumes of customers will be calling you whether they are affected or not.
Imagine how many of Talk Talk’s 4 million customers called them to find out whether it was their data that was lost. If you don’t have in-house public relations expertise, hiring a PR firm to help direct and manage your message to the media and public would be a good idea.
Then you must deal with legal costs from a government agency investigating you because of a breach, and consider the potential for class actions, especially since 2014 when the consumer no longer has to prove personal damage to make a claim. And all this before you get to any monetary penalties.
Other costs are more specific to a company such as loss of income from a data breach, the cost of recreating lost or damaged data and lost opportunity costs.
The resource cost of a data breach can be huge. Investigating data breaches takes up valuable time and takes employees away from other tasks. Then there is the human cost, with potential job losses resulting from a loss in business.
Data lost might not necessarily be of a personal nature, but rather intellectual property, which opens up other avenues of potential consequences; if you lose IP you lose your competitive advantage.
Whether you lose consumer data or your company IP, in the worst-case scenario your business could go bust; many have.
The simple fact is the cost of repair after a data breach is 10 to 100 times higher than preventing it in the first place; detection, prevention and reporting are key. Even if you think you have covered yourself as much as you can, with data loss prevention technology or endpoint security solutions, there is still the potential for a data breach; nobody’s infallible.
This highlights why there needs to be a data breach incident response plan in place from the highest level downwards in all businesses and organisations, no matter the size.
There needs to be a paradigm shift in information governance. We are slowly seeing this shift in responsibility in the largest organisations, from IT departments and chief information officers (CIO) to active board level recognition of the risk.
But until there is a wider recognition that information governance and disaster recovery planning is integral to the health and wealth of a business or organisation, there will still be a significant risk not only to individual companies but also to UK PLC and the economy as a whole with data now recognised as the new currency. Don’t let your business become a statistic – plan ahead.
This article is published as part of the IDG Contributor Network. Want to Join?