The financial costs that can result from a data breach can be classified as either direct or indirect. Direct costs include hardening systems, paying fines and resolving possible lawsuits. Indirect costs include loss of existing customers, a decrease in revenue due to a damaged reputation, etc. This monetary loss does not include the direct consequences of the actual compromised data, which could expose company IT secrets, proprietary tool information, and more. All of this greatly affects the public opinion of your company and how your customers perceive your ability to protect their sensitive information.
One example is the high-profile data breach of Sony's systems in 2014, which resulted in an estimated cost of $35 million. This figure includes both obvious sources of monetary loss such as establishing more secure systems, conducting investigations, paying fines, dealing with lawsuits, hiring contractors and forensics personnel to harden the infrastructure, as well as ``hidden costs,`` which are less obvious. These hidden costs include a decrease in business revenue due to a decline in purchases from customers, which is related to a decrease in positive sentiment towards the business from its customers. Both costs can significantly impact the bottom line of your business.
Depending on the industry, hidden costs may be more or less significant in regards to the overall monetary loss associated with a data breach. For instance, highly-regulated industries such as the healthcare industry may have significantly greater fines associated with a data breach. One example is the $1.7 million that managed-care company Well point had to pay for not providing proof of due diligence to keep their databases secure.
Perhaps as important as the service provided - and the revenue obtained - is the brand reputation of a business. Failing to uphold proper information security standards may result in a data breach, which may result in a significant loss of revenue due to an increased negative sentiment from customers who were affected, and potential customers who choose to put their trust in another company.
Due to the wide array of personal information that businesses routinely collect from customers, it is imperative - from a legal, moral and ethical standpoint - that businesses take every precaution necessary to safeguard the sensitive customer data that they have been entrusted with. Surveys also indicate that businesses were impacted due to this lack of customer trust - the impact had increased to 91 percent in recent years, with some customers even avoiding particular companies that they felt were untrustworthy.
In another study contracted by IBM and done by Ponemon Institute in 2013 it was determined that post business-disruption costs (e.g. a data breach) associated with reputation damage could result in a loss of $20,000 to $5,270,000 over a 24-month period following the disruption.
These figures include costs associated with losing existing customers, allaying the fears of new customers, and winning over lost customers. It should be very clear why your business reputation is very important, and why maintaining secure systems is pivotal for any business that seeks to be professional and efficient. The possible financial impact on your business coupled with a substantial impact to your revenue from decreased customer sentiments could dramatically affect the bottom line of your company.
Customers who entrust a firm with their personal information often take legal action against a company when their data is stolen, which is a breach that can result in identity theft. The costs associated with class action lawsuits are another direct cost that a company has to take into consideration when realizing the full scope of how a data breach can affect the company. The law firm Bryan Cave found that, in 2016, five percent of data breaches ended up leading to class action litigations. This percentile has been a constant figure over the past few years, as studied in the report. This portion of customers who take legal action must be considered when gauging the potential costs of a data breach. Further costs can also come from the ramifications of breaching consumer protection laws.
Such regulations can result in heavy fines for firms unless they can prove complete compliance with legislation and due diligence in the utilization of security controls to ensure total information security. Legally, there are several acts and regulations that are in place to ensure that companies take due diligence in maintaining secure systems. The Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the New Basel Capital Accord, etc. are some of the governing legislations that seek to protect customer data by creating stipulations that companies must follow.
In the event of a data breach, the failure of a company to ensure complete data security often results in that company being required to pay fines, and they may be ordered to cease operations until security holes are fixed. For example, the Federal Sentencing Guidelines stipulates that company executives may be fined up to $290 million in the event that a data breach occurs when they cannot prove due diligence to ensure data security.
A study done by the Ponemon Institute in 2014 found that the average cost to a company resulting from a breach was $3.5 million - a cost which has been found to have increased by 15 percent from the previous year, and today continues to escalate.
With potentially substantial direct and indirect costs costs being incurred due to a data breach, firms should realize that the costs associated with maintaining data security are far lower than the possible repercussions of inadequate security.