The true cost of a data breach

The true cost of a data breach

We have all read the headlines and know that data breaches are costly incidents for businesses and organizations to deal with.

And GDPR has been ‘done to death’ with the headlines warning about potential fines of up to €20 million or 4 per cent of a company’s global revenue once the EU General Data Protection regulation comes into force next May.

However, the true cost of a data breach is much greater, and is something that is neither widely discussed or documented.

According to the 12th annual Cost of Data Breach Study, carried out by IBM’s Ponemon Institute, the average total cost of a data breach in the UK in 2017 is £2.48 million, with the average cost per lost or stolen record £98.

But looking at average costs is never going to really give an informative picture as to what a data breach would mean for your company and, where personal data is lost, those affected.

We hear a lot about reputational cost of a data breach, with the accompanying publicity purportedly considered potentially more damaging than any monetary penalty, especially in terms of consumer confidence. But with high profile data breaches happening pretty much every week it is fast becoming the norm and consumers are fast becoming ambivalent.

One wonders if the old adage of ‘no publicity is bad publicity’ is becoming relevant. It certainly seems that way at the enterprise level.

Preventing and surviving a data breach are two different beasts. Surviving a data breach means effectively anticipating it before it happens and, I can already hear the groans at the dreaded policy building, but putting a disaster recovery policy in place that really details what to do in the event of a data breach is the key to survival.

When the inevitable happens, having the machinery already in place to deal with the fallout could mean the difference between survival and bankruptcy, especially for smaller companies. I will leave prevention for another blog.

The process for building a data breach disaster recovery policy is relatively simple; it’s about anticipating requirements.

Meeting the relevant obligations in terms of regulation is a good starting point. Finding out how a breach occurred can mean hiring an external forensic investigator or at the very least allocating in-house staff resources.

Then you should establish who was affected by the breach and seek legal advice as to your obligations to those affected; which may mean factoring in credit monitoring services for consumers.

You must know what laws apply to the breach, identify who must be notified and how soon you need to act. Document the process and timeline and factor in the costs of notifying any individuals affected.

Posted on