Why Data Breaches Hit Companies So Hard in 2019
January 7, 2020
by Judith Wahnon
If you’re worried about your online privacy, your concern is well founded. Not only do privacy risks make users feel vulnerable on the internet, but they can open the door to identify theft, with all of the harsh consequences that can entail.
But as troublesome as the threat of a data breach can be for individuals, it can be truly devastating for affected companies. And there are strong indications that 2019 saw a significant jump in terms of the harm that businesses suffered as a result of major data breaches.
Why is that? The increasing sophistication of malicious hackers and other bad actors is a big part of the story – but it’s not the whole story. Rather, increasingly strict consumer privacy laws and skeptical consumer sentiment are also significant factors here.
For starters, simply put, 2019 was a bad year for cybersecurity, with each month seeing more than its share of newsworthy incidents. According to Risk Based Security, the year’s first nine months saw 33.3% more data breaches than the same period in 2018 – and more than the entirety of 2017.
Of course, some of these events stood out as particularly alarming, such as an automated series of Magecart credit card-skimming attacks in which 962 eCommerce websites were infiltrated in just one day in July. The last year also saw a large-scale data breach of Capital One in which a hacker accessed records of an estimated 100 million U.S. citizens and six million Canadians, including roughly 140,000 Social Security numbers. Other major brands affected by data breaches discovered in 2019 include Macy’s, DoorDash, Forbes Magazine, Magento, Facebook, TrueDialog, and many others.
Taken together, the numbers don’t paint a pretty picture. The breaches continued all year long, the number of major websites targeted was alarming, and the number of individuals affected was massive.
But for businesses keeping tabs on cybersecurity developments in 2019, the year’s most alarming news may have been the fallout from two major breaches that were discovered in 2018. To understand the implications of those developments, we need to look at the shifting international legal landscape surrounding customer privacy.
How did the legal protection of consumer privacy change in 2019?
At first glance, it may be easy to miss the ways that 2019 impacted consumer privacy laws and their enforcement. After all, it was back in 2018 that the European Union’s General Data Protection Regulation (GDPR) went into effect and the California Consumer Privacy Act (CCPA) was passed into law, and it was just last week – on January 1, 2020 – that the latter law went into effect. These two laws go further than any previous legislation in their efforts to restrict companies’ collection, sale, and use of consumers’ personal information – and both of them threaten businesses with harsh penalties for noncompliance.
But 2019 gave us a chance to see how the GDPR would be applied in practice, and the results should concern businesses that may be at risk of violating the law. These companies should be particularly alarmed by the proposed $229 million fine of British Airways that was announced in April of 2019, following a large-scale data breach that the airline had suffered the previous year.
And while that may have been the GDPR’s most newsworthy enforcement action of 2019, it was far from the only illustration of the pain the new law can inflict on companies that fail to comply with it. Just the day after the announcement of the proposed fine of British Airways, we learned that Marriott would face a proposed fine of $123 million following a data breach that the hotel chain had discovered in late 2018. In that case, hackers had accessed records of approximately 383 million hotel guests, including five million unencrypted passport numbers.
Still, if the proposed fines of British Airways and Marriott sound harsh, consider that they could have been much larger. Under the GDPR, any company found to violate the law could face a penalty of up to 4% of its global annual turnover, or 20 million euros (roughly $22.4 million) – whichever is higher. In contrast, the proposed fines of British Airways and Marriott are “only” 1.5% and an estimated 3% of the companies’ annual revenue, respectively.
Then again, these fines only reflect part of the losses that the two companies will see as a result of the data breaches they each suffered. To accurately evaluate the financial impact of those breaches, we need to look at the full range of their effects. The non-legal results of data breaches may be less obvious, they may be harder to measure, and they may take longer to show up – but they are very real.
How much do data breaches really cost businesses?
A 2019 edition of an annual study by IBM and the Ponemon Institute sheds light on the full financial impact of a data breach on the targeted company. Perhaps most importantly, this report found that legal fees account for less than 30% of the average cost of a data breach – a reality that is likely to change as the full effects of the GDPR and other legislation become clearer.
In total, the 2019 study found, the average data breach costs the targeted company $3.92 million – 1.5% more than in the same study in 2018 and 12% more than in the first such study in 2014, but somewhat less than the 2016 peak of $4.00 million. The latest study found that, of the $3.92 million cost of the average data breach, $1.42 million (36.2%) can be attributed to lost business, while $1.07 million (27.3%) stems from the targeted company’s “post breach cost” – a category that includes any fines and other legal fees, as well as certain other expenses.
In addition, the IBM-Ponemon Institute study found that roughly one-third of the cost of a data breach appears more than one year after the breach has been discovered. Specifically, it found that 67% of the cost typically appears during the first year, 22% appears in the second year, and 11% appears during the third year.
Notably, the study also found that the cost of the average data breach in the U.S. is $8.19 million – more than double the global average.
While it is not yet clear exactly how much Marriott and Capital One will suffer due to their data breaches, it is estimated that the total costs will go well beyond the imposed fines – possibly reaching $1 billion and more than $300 million, respectively.
In addition, 2019 showed us that the reputational fallout from a major data breach can be truly devastating to some businesses: After a major 2019 data breach was attributed to failures of the American Medical Collection Agency (AMCA), the company lost so much business that it was forced to file for bankruptcy.
Addressing cybersecurity concerns in 2020
As the new decade starts, there are good reasons to worry about the financial risk that data breaches pose to companies. In 2020, as in 2019, that risk stems both from the increasing sophistication of hackers and from shifts in law and consumer attitudes.
Much of the legal danger comes from an ongoing international trend toward increasing restriction of companies’ collection, use, and sale of individual consumers’ information. After learning a great deal about the impact of the GDPR last year, in the new year we can expect to get our first glimpse of how the CCPA will be enforced in practice. And with similar legislation taking shape both in other U.S. states and in countries around the world, it seems likely that the penalties companies could face for cybersecurity failures will continue to increase in the future.
In addition to fines, the risk that a newsworthy data breach could hurt consumer confidence remains high – especially in light of the skepticism today’s consumers show regarding companies’ use of their data.
Adding to the ongoing risk of data breaches, today’s major websites tend to rely heavily on embedded third- and fourth-party services. As a result, businesses must invest additional time and resources in ensuring their customers’ privacy online. Specifically, companies must keep tabs both on the ways their websites’ embedded services access consumers’ details and on what sensitive data these services have access to.
The good news is that, while the threat posed by data breaches continues to increase, new technologies are making it easier for companies to protect themselves from that threat. Given that much of the risk of a data breach stems from websites’ reliance on third- and fourth-party services, technology such as Namogoo’s Customer Privacy Protection (CPP) solution can go a long way toward mitigating that risk by providing critical information about embedded services in real time.
In short, the trends that we saw in 2019 suggest that there is good reason for businesses to worry about the risk of data breaches in 2020. But with the right cybersecurity procedures and technologies, companies can keep this risk to a minimum.
Are the third- and fourth-party services embedded in your website exposing your company to the risk of a data breach? To find out, get a free privacy risk analysis.