Already, many organizations have made headlines because they failed to do what was expected of them—prevent data breaches—and the corporate liabilities that arise due to various data privacy laws and regulations can potentially be devastating.
It is estimated that 2.5 quintillion bytes of data are now produced every day.[1] Likewise, the amount of information stored by organizations across all industries has increased significantly in recent years, challenging the ability of organizations to keep sensitive data private. This challenge has been made even more difficult by the ongoing shift of enterprise workloads to third-party public cloud providers.
Facts and Figures
- Since 2013, nearly 15 billion data records have been compromised, out of which 3,353,172,708 were compromised in the first half of 2018 alone, an increase of 72% over H1 2017.[2]
- The average cost of a data breach is $3.86 million, according to 2018 Cost of a Data Breach Study published by IBM.[3]
- The same study estimates that the average cost per lost or stolen record in a data breach is $148.
- As if the situation wasn’t bad enough, the number of data incidents is expected to grow as attackers continue to find new vulnerabilities and develop exploits for them.[4]
- Contrary to popular belief, human error is among the primary causes of data breaches, according to nearly half of all C-Suites and one in three SBOs surveyed by Ipsos.[5]
What Is a Data Breach?
A data breach occurs when private data is intentionally or unintentionally released to an untrusted environment or accessed without authorization. Other terms for the exposure of confidential information include data incident (which also encompasses data loss due to equipment failure, disaster, or malware) and unintentional information disclosure (which does not necessarily have to involve digital information).
The lost data may be sensitive private information the company has collected on employees or customers, or it may be proprietary and confidential data regarding business operations and trade secrets. Data breaches may even involve the loss or theft of digital media or physical data and devices, such as hard drives, mobile devices, and computers. Any data breach incident poses serious risks for organizations as well as for the individuals whose data has been lost.
How Do Data Breaches Happen?
According to Verizon’s year-long investigation into the leading causes of data breaches, most (48%) of data breaches happen as a result of targeted criminal hacking, which may involve phishing and spear phishing, SQL injection, denial-of-service and (DoS) and distributed denial-of-service (DDoS), or man-in-the-middle (MitM) attacks, just to name a few techniques hackers have at their disposal.[6]
Malware is another major cause of data breaches (30%), with ransomware, a type of malware that encrypts the victim’s data and perpetually blocks access to it unless a ransom is paid, being by far the most prevalent type of malware today. In 2018, ransomware damages amounted to more than $8 billion, and they are predicted to reach $11.5 billion annually by 2019.[7]
We have already mentioned the third major cause of data breaches in this article: human error, such as an employee losing a mobile device or sending out sensitive data in an unsecured email. These and other potentially devastating mistakes account for 17% of data breaches, and organizations often find them very difficult to avoid because there is no readily available and easily implementable solution that can prevent employee negligence.
What Is the Impact of a Data Breach?
A data breach has both direct and indirect financial consequences. First, any organization that has been breached must allocate its budget and resources to resolve the breach and address the underlying problem that led to it. The average cost of a data breach is $3.86 million, with an average cost per lost or stolen record of $148.[8] As if to make things worse, the cost of a data breach has been steadily increasing over the years, and it is showing no signs of slowing down anytime soon. Furthermore, the likelihood of a recurring material breach over the next two years is 27.9%.[9]
The organization must then deal with the indirect financial consequences of the data breach, which stem mainly from the loss of customer trust, diminished brand reputation, downtime, and possibly even litigation. For small and medium-sized businesses, the impact of a data breach can be far more severe than for enterprises with abundant resources. In fact, 60% of small to mid-sized businesses never recover from data breaches as a direct result of losing their ability to compete with others.[10]
Finally, the breached organization may face the legal consequences, including fines, revocation of licenses, and, in some cases, imprisonment of employees responsible for the breach.
What is My Liability in Case of Data Breach?
As data breaches are a growing concern for regulators, organizations are held liable to define and implement protection measures.
In the European Union, the General Data Protection Regulation (“EU GDPR”) introduced the requirement for organizations to report a data breach to national data protection regulators and to the affected individuals within 72 hours of becoming aware of the breach. Those who fail to comply with the regulation may face severe penalties, including fines up to EUR 10M or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.[11]
In the People’s Republic of China,
the Cybersecurity Law (“PRC CSL”) defines obligation for organizations
regarding the prevention of data leak—especially emergency response plan—with
penalties including fines up to ¥1 million ($145,000).[12]
Organizations can also be liable for failing to implement basic security
measures, such as set up an antimalware software or regularly back up their
data.
[1] https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=WRL12345USEN
[2] https://breachlevelindex.com/
[3] https://www.ibm.com/downloads/cas/861MNWN2
[4] https://www.experian.com/assets/data-breach/white-papers/2019-experian-data-breach-industry-forecast.pdf
[5] https://www.shredit.com/en-us/about/press-room/press-releases/sacking-employees-for-data-breach-negligence
[6] https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf
[7] https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-exceed-8-billion-in-2018/
[8] https://www.ibm.com/downloads/cas/861MNWN2
[9] https://www.ibm.com/developerworks/community/blogs/IBMCommserver/entry/Calculating_the_Cost_of_a_Data_Breach_in_2018?lang=en
[10] https://www.vistage.com/demand/cyberthreat-solutions-pdf-form/
[11] EU GDPR, Article 83-4
[12] PRC CSL, Articles 25 and 34-4
