Data breaches are costing businesses more than ever. You’ve no doubt heard this so many times that it’s starting to seem like hyperbole, but IBM’s most recent Cost of a Data Breach Report confirms the statement.
The 2022 report revealed that the average total cost of a data breach is at an all-time high of USD $4.35 million globally, an increase of 12.7% in the past two years, and higher still in the US, where the average is USD $9.44 million. However, for some businesses, the cost of a data breach, extends far beyond the immediate financial impact of the incident, such as remediation efforts and even reputational damages, and flows further into legal and regulatory after-effects.
So, is it too simplistic to say that, that increase is just symptomatic of the rising prevalence and sophistication of cyber-attacks, or does it also signal an apathy amongst the business community about what is an ever-growing challenge?
In July of this year, T-Mobile made headlines when the telco agreed to pay $350 million to settle a class action lawsuit related to a data breach in August 2021. The breach saw the personal information of more than 76 million customers exposed, including names, addresses, date of birth, driver’s license details, social security numbers and more. Additionally, the settlement stipulates that T-Mobile must invest a further $150 million in fortifying their data security, bringing the total costs to $500 million, making it the second largest data breach settlement agreement in US history.
On top of the costs associated with the original breach, that’s $500 million to compensate customers, including an instruction from the court to spend $150 million more to improve the company’s data security. At what point is an executive leadership team and board held to account for their decisions or the absence thereof, resulting in failures to protect customer data? In the case of T-Mobile, it took a long-term shareholder to launch a lawsuit against the board of directors, including the President and CEO, alleging that they misled investors about the company’s protection of consumer data and that they failed to take the necessary steps to prevent the disastrous data breach.
In the past few years, many other similar cases have been reported. For example, in 2018, ride-hailing company Uber was fined $148 million and forced to tighten their data security after the company failed to notify 600,000 US drivers, and 57 million riders, that their personal information had been stolen in a 2016 hack. Rather than reporting it to the appropriate authorities, Uber paid a $100,000 ransom to ensure the stolen data was destroyed by the criminals. At the time, then Attorney General, Lisa Madigan, stated, “This is one of the most egregious cases we’ve ever seen in terms of notification; a year long delay is just inexcusable, and we’re not going to put up with companies…completely ignoring our laws that require notification of data breaches”.
Although Uber’s fine was not the first of its kind, it was used by regulators as a warning to other businesses that protecting consumer data needs to be a higher priority. But has the lesson been heeded?
In that same year, the EU’s General Data Protection Regulation (GDPR) was implemented. The GDPR is the toughest set of security and privacy regulations in the world. It applies to businesses across the globe, as long as they collect data relating to citizens of the EU. It enables data protection authorities in the EU to impose fines of 4% of an organisation’s worldwide turnover in the previous financial year, or €20 million, whichever is highest.
Four years on, authorities have issued more than 1,000 fines for violations and GDPR non-compliance issues which extend beyond data breaches. In July 2021, the most significant ruling to date was issued by fining Amazon €746 million for breaching European regulations. The penalty was the result of a complaint by privacy rights group La Quadrature du Net which was lodged in 2018 on behalf of 10,000 customers. While the specifics behind the penalty remain clouded, it came as a result of how Amazon used consumer data for targeted advertising purposes.
Outside of the GDPR’s jurisdiction, other regulators have followed the same lead to continue tightening data security policies, and businesses are being held accountable for mismanagement. Of course, we applaud the initiative of governments and regulators around the world, but these high profile examples appear to indicate a worrying trend, as the tip of the iceberg, demonstrating that many executive leadership teams are not taking proactive measures to protect their corporations, or consumers.
In July 2022, China’s cybersecurity regulator fined ride sharing company Didi 8 billion yuan (US $1.28b) following a year-long investigation where they were found to have violated data security laws and misused personal information. The fine represents just under 5% of Didi’s total 2021 revenue, and it sets a precedent for any other organisations operating in China.
The problem appears to be widespread, as we see companies repeatedly falling victim to data breaches, or violating privacy laws. In fact, IBM’s Cost of a Data Breach Report 2022 also revealed that 83% of the organisations studied had suffered from more than one data breach.
Another company that has made headlines for this reason more than once is Facebook. In September 2019, an unsecured, publicly accessible server which held personal data on more than 419 million Facebook users was found. This news broke just two months after the US’s Federal Trade Commission imposed an historic $5 billion penalty on the social media giant as well as a mandate that they implement a new privacy structure to boost transparency and accountability.
For multi-billion-dollar companies, these penalties may seem like a drop in the ocean. In 2021 Facebook reported a 46.7 billion operating profit. For small-medium corporates, and even SMEs, a fraction of the fines could put them out of business.
But aside from the monetary penalties, at what point will consumers, shareholders and boards hold organisations to account? I’m interested to hear your view. Am I being too harsh, or do ELTs need to lift their game and be more proactive. Let me know on my poll here.
Keeping businesses safe and secure
Prevention is always better than a cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be an open dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 282 2
UK partners call 0 800 404 8993
