In September 2017, more than half of all Americans learned that some of their most vital personal data, including Social Security numbers and driver’s license numbers, had been stolen in a massive breach at the Equifax consumer credit reporting agency. As a result, the data used to evaluate consumers’ creditworthiness is now potentially available to thieves and fraudsters who could ruin individuals’ financial reputations—and their ability to borrow for a car, a home, or a college education.
The Equifax breach is extreme, but, unfortunately, not unique. The Identity Theft Resource Center, a nonprofit organization set up to support identity theft victims, reported 1,093 data breaches in 2016, a 40% rise from the previous year. Meanwhile, 2017 is shaping up to be worse: 791 incidents were reported through June.
The question is: so what?
It’s not as if consumers aren’t aware of what’s happening. According to a Pew Research Center study published in January 2017, 49% of Americans believe that their personal data is less secure today than it was five years ago. Those fears are well founded: 64% of Americans have been victims of a major data breach, including fraudulent credit card charges, compromised data, hijacked e-mail or social media accounts, and loans or lines of credit taken out in their name.
Corporations globally will spend US$8.6 billion this year on information security, according to Gartner, just to mitigate the risk of a security incident—7% more than in 2016.
Yet according to the Pew study, only 9% of Americans believe companies are very prepared to handle cyberattacks: 52% see firms as “somewhat prepared.” At the same time, individuals have been cavalier in their own cyber behavior: 86% of American consumers memorize their passwords (meaning they choose words or phrases that can be easy for others to decode), and 49% write them down.
In other words, we all have skin in the game when it comes to data breaches, hacked systems, and compromised personal data incidents. But they all seem to run together like the plot of a dreary movie that feels like it will never end.
Maybe if we knew how much our companies, and ourselves as individuals, were losing, we would pay more attention. While public reporting about information security breaches can be difficult to come by, researchers in recent years have sought to quantify the costs: to shareholders, to corporations, and to consumers. Results indicate that the costs are significant.
Shareholders: −1.8% of company value
The aftermath of a severe breach has a material and lasting negative effect on public companies, according to a study of companies in the United Kingdom by Oxford Economics.
The study asserts that for a typical large firm in the FTSE 100 stock market index, a severe data breach results in an average decline of 1.8% in market capitalization compared to a control group of similar companies. This equates to a permanent loss of market capitalization averaging £120 million, or approximately $161 million, for the typical firm studied.
Other researchers have also found statistically significant negative impacts on company value in the aftermath of data breaches. These researchers note that it is difficult to attribute losses of value to any single factor, such as a data breach, in the long-term activity of a stock (which may be influenced by other economic and market conditions). Even so, catastrophic breaches can hurt a company’s market value in the short term. During the 2017 Yahoo–Verizon merger, the revelation of a series of data breaches at Yahoo prompted Verizon to reduce the price it paid to purchase the company.
Companies: −3.6 million per breach
No matter what companies spend to prevent security incidents, the occurrence of a breach creates a new set of expenses. Researchers have different ways of looking at the costs, so estimates vary.
According to a 2016 study by Sasha Romanosky in the Journal of Cybersecurity, a typical cyber incident costs a company $200,000 to manage. Romanosky, a policy researcher at RAND Corporation, examined 921 cases—including data breaches, digital security incidents (such as distributed denial of service attacks), privacy violations, and phishing incidents—for which there was enough cost data available. The litany of expenses is extensive:
- Forensic investigation to determine the cause
- Notifications to consumers affected by the incident
- Marketing and public relations campaigns to respond
- Customer support efforts
- Consumer redress, such as credit monitoring or identity theft insurance, if applicable
- Costs incurred as a result of private litigation, such as class action lawsuits, judicial rulings, settlements, or court awards
- Possible fines or fees brought by government agencies
Romanosky also noted intangible costs, including lost management time due to executive turnover (when a CEO or other senior executives must resign) and the loss of reputation.
A 2017 study by Ponemon Institute looked at the cost of an average data breach and derived a higher estimate: $3.6 million. This price tag applies to companies suffering breaches that affected fewer than 100,000 records—that is, the more common type of data breach that companies typically deal with, not the catastrophic incident that makes big headlines. This study, which relied on interviews with representatives of 419 companies around the world, found that companies spent an average $141 per record to repair the damage from a breach.
Respondents in the Ponemon study said that having an incident response team lowered the cost of a breach by close to $1 million, on average, because these teams enabled a company to contain a breach within 30 days.
However, losses are not limited to what companies spend responding to a breach. The Verizon 2017 Data Breach Investigations Report noted that phishing scams and other e-mail–based attacks against companies that result in financial theft cost firms around the world tens of millions of dollars in 2016.
Consumers: −$1,769 per consumer
When consumers’ identities or accounts are compromised, individuals and businesses share the financial losses. A 2017 study by Javelin Strategy & Research found that consumers battling an account takeover—such as a hacker taking over a credit card, bank account, or other account—spend $263 on average to fix the situation.
When the victim’s identity is misused to purchase goods or get cash, financial institutions also suffer. A 2013 report by the U.S. Bureau of Justice Statistics pegged the total cost at $1,769 per consumer. That figure includes the value of goods, services, or cash obtained using stolen credit or debit cards. Credit card issuers and banks typically cover any fraudulent charges.
Keep Investing in Cybersecurity
Data breaches are here to stay, and everyone is on the hook to prevent or contain losses. Here are some ways to minimize or prevent damage:
Take cues from regulations. Around the world, government regulations concerning information security continue to evolve. As the Ponemon Institute notes, companies that do business in the eurozone will soon have a new mandate. Starting in May 2018, the European Union will require organizations to report data breaches within 72 hours or risk fines of up to 4% of global income. Consider rules like this when evaluating investments in system monitoring and crisis response.
Adopt a hacker mindset. Researchers, including José Esteves, an associate professor of information systems at the IE Business School in Madrid, studied hackers to learn how they think. They identified a four-step approach that hackers use to gain control of someone else’s data:
- Identify vulnerabilities (such as a vendor, a new employee, or a system that does not comply with security standards).
- Scan and test to seek additional entrances into a system.
- Gain access (through technical means or by communicating with a person susceptible to misleading messages).
- Maintain access.
Think like the hackers, Esteves and his colleagues contend, and you can address your vulnerabilities before the malefactors find them.
Don’t give up. Corporate information security leaders can justify continued investments in risk management and risk mitigation. As the Ponemon study demonstrates, that’s why it’s time to staff up that incident response team. They could be worth a million bucks—literally. D!