Impact of a Data Breach: Six Serious Consequences
No organization wants to suffer a data breach, but some see it as an inevitable cost of doing business in today’s digital environment. Although this sort of fatalism isn’t entirely unfounded, when it’s used to justify a lack of cybersecurity spending, it will likely become a self-fulfilling prophecy.
The devastating effects of a breach should not be underestimated. Even if you’re a megacorporation with enough financial stability to weather the storm, a breach could potentially cripple your organization, if not shutter it completely.
To give you a better understanding of the ultimate impact of a breach, we’ve outlined a few of the negative outcomes commonly associated with breaches. We understand every breach is different, and many variables contribute to the overall cost of one. But regardless of how your organization is compromised, you’re likely to face some combination of the following consequences.
A breach often means a vulnerability in an organization’s security environment has been found and exploited, and that vulnerability needs to be fixed immediately. Additionally, the repair of one vulnerability can reveal others and shift organizations into a re-evaluation of their existing systems and processes. These costs manifest in the form of testing, security assessments, new hardware and software, and training for new employees and processes.
You’ve probably heard the saying “there’s no such thing as bad publicity.” In discussing a data breach, that sentiment is simply wrong. Data breaches, especially when they could have been easily avoided, can be a public relations nightmare. As a result, breached customers will likely stop working with your organization or refuse to do business with you in the future—or even worse, sue for damages.
Loss of Consumer Trust
This goes hand-in-hand with the above. If you suffer a breach, it’s probable that potential customers or prospects could write you off. Investors might cash out or skip your stock offering altogether. A data breach will hurt you for as long as people remember you as an organization that was breached.
Fines and Penalties
Fines and penalties incident to a breach are much more concrete than the ones we’ve covered so far. Regulatory violations and other compliance penalties are often spelled out in the body of these documents, so they shouldn’t come as a surprise.
The European Union’s General Data Protection Regulation, for example, calls for fines of up to 4 percent of annual turnover or €20 million, whichever is greater, in the event that an organization is found to be willfully or intentionally in violation. Accidental infractions or negligence are less severe—2 percent of annual turnover or €10 million—but still substantial. Violations of the California Consumer Privacy Act or Payment Card Industry Data Security Standard can result in similar penalties.
And, the Federal Trade Commission has, and will continue to prosecute any ‘unfair trade practice’ it determines likely to cause harm to consumers that consumers can’t reasonably avoid. PHI, non-public financial data, and data concerning children are just some of the types of data also protected by Federal non-disclosure laws
If your organization suffers a breach due to negligent security practices, you could be held liable for damages in a class-action lawsuit. Equifax paid a $425 million settlement after it was breached in 2017, and Marriott paid $250,000 in February without admitting wrongdoing—a relative slap on the wrist. When these legal fees are compounded by regulatory fines and other financial losses, the cost of a breach can become insurmountable.
This is a relatively new concern for breached entities, and it likely will only affect larger organizations that can afford and benefit from cyber insurance coverage. Cyber insurance premiums are already rising steadily due to the prevalence of breaches, so if your organization suffers from one, it’s safe to assume your premium will increase substantially. Your insurance company might also deny coverage if your organization is found to be negligent.
The Bottom Line
According to IBM’s 2019 Cost of a Data Breach Report, the average cost of a breach is about $150 per record, although this can vary by industry. Similarly, the total average global cost for a breach is $3.92 million, but in the healthcare industry, that number is 65 percent higher—$6.45 million.
These are useful baselines to keep in mind, but they only factor in costs related to detection, escalation, notification, response, and lost business. It’s also important to note that breaches are increasing in both frequency and cost year over year. So just because you haven’t yet suffered a breach doesn’t mean you won’t in the future—when the cost could be much higher.
How TokenEx Can Help
Too many organizations see “breach inevitability” as a reason not to devote resources to defending against a breach. But TokenEx’s platform and services offer data protection and consequent cost avoidance even if your organization suffers a data breach.
TokenEx’s tokenization service is a particularly effective strategy for protecting sensitive data even in the event of a breach. TokenEx’s services and products can remove or mask sensitive data from your internal systems and safely store it outside of your environment. This prevents cybercriminals from accessing the original, sensitive data if they breach a tokenized environment. Instead, a breach would reveal only tokens—nonsensitive placeholders that cannot be returned for the original data without the use of additional protected information not available in the breach.
For example, last year one of our clients suffered a breach, revealing some of the personally identifiable information it was storing in its systems. However, because this organization was using TokenEx’s Cloud Security Platform to tokenize its cardholder data, no primary account numbers were exposed during the breach. Had the organization also chosen to tokenize its PII, that data would have been protected as well. As the customer explained in its breach notification:
“The information potentially accessed in this incident would not include your full credit or debit card number, as we do not store those numbers when customers make purchases in our store. If you’ve opted to store your card in your account, we store the last four digits of your payment card number for reference and use by you for subsequent purchases, but never the entire card number.”
This is what we mean by “no data, no theft.” Although tokenization cannot protect your environment from a breach, it can desensitize stored information. So, even if tokens are exposed, they’re just nonsensitive placeholders unrelated to the original, sensitive data. Cybercriminals can’t reverse the tokens or use them to access the original data stored safely in TokenEx’s environment, effectively eliminating the risk of data theft in the event of a breach.