Impact of Data Breach

1. Financial Loss
The financial impact of a data breach is undoubtedly one of the most immediate and hard-hitting
consequences that organizations will have to deal with. According to a recent study by the Ponemon
Institute, the cost of a data breach has risen 12% over the past five years to £3.2m on average globally.

Costs can include compensating affected customers, setting up incident response efforts, investigating
the breach, investment into new security measures, legal fees, not to mention the eye-watering
regulatory penalties that can be imposed for non-compliance with the GDPR (General Data Protection
Regulation).

Organizations in breach of the GDPR can be fined up to 4% of annual global turnover or 20 million Euros
(whichever is greater). If organizations are under any illusion that these financial penalties will not be
enforced, the recent fines imposed on British Airways and Marriot have highlighted just how seriously
the ICO intends to take GDPR violations.

A breach can also significantly impact a company’s share price and valuation. This is exactly what
happened to Yahoo after it was breached in 2013. The breach came to light in 2016 when the company
was about to be bought over by US telecoms company Verizon. The acquisition went ahead with the
company buying Yahoo for a discounted rate of $4.48 billion, around $350 million less than the original
asking price.

2. Reputational Damage
The reputational damage resulting from a data breach can be devastating for a business. Research has
shown that up to a third of customers in retail, finance and healthcare will stop doing business with
organizations that have been breached. Additionally, 85% will tell others about their experience, and
33.5% will take to social media to vent their anger.

News travels fast and organizations can become a global news story within a matter of hours of a breach
being disclosed. This negative press coupled with a loss in consumer trust can cause irreparable damage
to the breached company.

Consumers are all too aware of the value of their data and if organizations can’t demonstrate that they
have taken all the necessary steps to protect this data, they will simply leave and go to a competitor that
takes security more seriously.

Reputational damage is long-lasting and will also impact an organization’s ability to attract new
customers, future investment and new employees to the company.

3. Operational Downtime
Business operations will often be heavily disrupted in the aftermath of a data breach. Organizations will
need to contain the breach and conduct a thorough investigation into how it occurred and what systems
were accessed. Operations may need to be completely shut down until investigators get all the answers
they need. This process can take days, even weeks, depending on the severity of the breach. This can
have a huge knock-on effect on revenue and an organization’s ability to recover.

According to Gartner, the average cost of network downtime is around $5,600 per minute. This equates
to around $300,000 per hour. This will obviously differ depending on the size of organization and the
industry affected, but clearly, it can have a devastating impact and significantly affect business
productivity.
4. Legal Action
Under data protection regulations, organizations are legally bound to demonstrate that they have taken
all the necessary steps to protect personal data. If this data is compromised, whether it’s intentional or
not, individuals can seek legal action to claim compensation.

There has been a huge increase in class action lawsuits in both the US and UK as victims seek monetary
compensation for the loss of their data.

Equifax’s 2017 data breach affected more than 145 million people worldwide and the company has paid
out more than $700 million in compensation to affected US customers. The breach affected an
estimated 15 million customers in the UK, who have now launched their own separate legal action in the
high court seeking £100 million in compensation.

As the frequency and severity of breaches continues to rise, we can expect to see more of these group
cases being brought to court.

5. Loss of Sensitive Data

If a data breach has resulted in the loss of sensitive personal data, the consequences can be devastating.
Personal data is any information that can be used to directly or indirectly identify an individual. This will
include everything from a name to an email address, IP address and images. It also includes sensitive
personal data such as biometric data or genetic data which could be processed to identify an individual.

The reality is that if a critical patient had their medical records deleted in a data breach it could have a
serious knock-on effect on their medical treatment and ultimately their life. Biometric data is also
extremely valuable to cybercriminals and worth a lot more than basic credit card information and email
addresses. The fallout from breaches that expose this data can be disastrous and exceed any financial
and reputational damage.

Regardless of how prepared your organisation is for a data breach, there is no room for complacency in
today’s evolving Cyber Security landscape. You must have a coordinated security strategy in place that
protects sensitive data, reduces threats and safeguards your brand’s reputation.

MetaCompliance specialises in creating the best Cyber Security awareness training available on the
market. Our products directly address the specific challenges that arise from cyber threats and
corporate governance by making it easier for users to engage in Cyber Security and compliance. Get in
touch for further information on how we can help transform Cyber Security training within your
organisation.

How do applications help protect data?

Data breach prevention needs to include everyone at all levels — from end-users to IT personnel, and all
people in between.

When you’re trying to plan how to prevent data breach attacks or leaks, security is only as strong as the
weakest link. Every person that interacts with a system can be a potential vulnerability. Even small
children with a tablet on your home network can be a risk.

Here are a few best practices to avoid a data breach

• Patching and updating software as soon as options are available.

• High-grade encryption for sensitive data.
• Upgrading devices when the software is no longer supported by the manufacturer.
• Enforcing BYOD security policies, like requiring all devices to use a business-
grade VPN service and antivirus protection.
• Enforcing strong credentials and multi-factor authentication to encourage better user
cybersecurity practices. Encouraging users to start using a password manager can help.
• Educating employees on best security practices and ways to avoid socially engineered
attacks.