The cost of a personal data breach – whether you are fined or not.

From the Equifax breach to Cambridge Analytica scandal, or the two cyberattacks hitting Yahoo!, data breaches are starting to become a common theme. That is hardly surprising as the ubiquity of business-reliance on digital media, cloud computing, and workforce mobility has companies storing their sensitive commercial (and personal) data on their own local hardware, shared intra-company databases, or the cloud. If data is the new gold, you better take measures to protect your riches. And if you don’t, it will eventually cost you much more than you bargained for and an IBM-sponsored research project has done the math. (Spoiler: it’s a lot.)

Personal data breach under the GDPR

A personal data breach, under the General Data Protection Regulation (GDPR), is broadly defined to include any breach of security that leads to “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.[1] While many people are keen to blame the persistent and sophisticated hacker, recent research has shown that more than 40% of reported security breaches are caused by employee negligence. In other words, personal data breaches can be deliberately caused by a malicious external agent or accidentally by a careless employee. What is important is that the confidentiality, integrity and availability of the personal data is affected. The Dutch Data Protection Authority found that the most common data breaches involved lost/stolen USB-sticks, client portals being shown to the wrong clients, and sending emails or letters to the wrong people.

Reporting a data breach under the GDPR

Reporting a data breach is mandatory under the GDPR (we even explain how in this blog), unless it is unlikely to result in a risk to the rights and freedoms of the person(s) concerned. This legal obligation has resulted in an explosion of publicly-disclosed breaches that are not only increasing in frequency (the number of data breaches within a given period of time) but also severity (the quantity and type of personal data and individuals affected). This timeline does a good job of showing that. The GDPR gives national data protection authorities a big stick to hit organizations with through heavy financial administrative sanctions (up to €20,000,000 or 4% of the total worldwide annual turnover, whichever is higher) but the research project (conducted independently by the Ponemon Institute) has calculated the “total average cost” an organization suffers, whether they are fined or not.

Looking at more than 19 countries around the world, research has shown that the average cost of a data breach is $3.86 million.[2] With the average cost per lost or stolen record being $148 and a 27.9% chance of it happening again, these are financial consequences that will be felt by any organization.[3] Internal forensic investigation and assessment activities, notification and communication costs, post data breach response measures, and lost business are factors that organizations may sometimes forget about.[4] Organizations may not have measures in place to detect and contain breaches, many are slow to respond, and others have communication issues with management and the board of directors or do not know when (or how) to escalate to the data protection authority. 

How do you prepare for a data breach?

So how do you begin to prepare for something like that? Surprisingly, there is a lot that an organization can do. For one, it can invest in GRC (governance, risk management and compliance) programs that evaluate the risk across all of their operations. Other possibilities exist like undertaking data classification schemes that help to quickly determine the severity of the breach (in terms of sensitivity or confidentiality of the vulnerable information) and retention schedules to make sure that no (confidential) data is kept longer than needed. Pro tip: Stay ahead of the game, data is no longer vulnerable if you do not have it. General employee privacy and security awareness training and effective communication and escalation policies are also key to making sure that everybody is on the same page. 

Do you feel prepared? If not, don’t worry because you are in good hands. And even if you think that you are, Considerati can play the role of the data protection authority and put your preparations to the test. Comments? Questions? Challenges? You're most welcome to contact us!

[1] See Article 4(12) GDPR.

[2] Ponemon Institute LLC, ‘2018 Cost of a Data Breach Study: Global Overview’ (2018), p. 3. Available at <>.

[3] Ibid.

[4] See supra note 2, p. 6.