MORE THAN 2,600,000,000 digital records were lost, stolen, or exposed last year in 1,765 data breach incidents, including 1,453 in the U.S. Despite ongoing advances in cybersecurity, data breaches continue to occur--and reoccur--with alarming regularity. Among companies that suffered a successful attack in 2018, there is a 27.7% likelihood they will experience another data breach within 24 months. It takes businesses an average of 191 days to detect a data breach and 66 days to contain it.
Within the U.S., the average costs of each data breach include:
* $1,070,000 for detection and escalation, including investigation, assessment, auditing, and crisis team management.
* $690,000 to notify customers, including creating a contact database, postage and other communication costs, and engaging outside experts.
* $1,560,000 for post-breach response, including customer support, legal fees, remediation, regulatory interventions, and inbound communications.
* $4,130,000 in lost business costs, including high levels of customer turnover, increased customer acquisition costs, reputational damage, and loss of goodwill.
Though companies may balk at the expense of IT security and other proactive and preventative measures, they are far less costly than a data breach. In Equifax's case, for example, the company has recorded hundreds of millions of dollars in losses and, when lawsuits are factored in, the total could run into billions. Certain expenses are unavoidable--such as repairing the breach and attempting to make things right for customers--but businesses also should budget for crisis management expertise from the moment a breach is discovered. Those who delay or cut corners soon could find themselves facing a PR disaster of far greater magnitude, as well as skyrocketing costs.
Equifax has received harsh criticism for the poor handling of its 2017 breach, which impacted 147,700,000 Americans. The company waited nearly six weeks before announcing the breach, and three of its executives sold off nearly $2,000,000 in shares in the interim. Instead of reaching out directly to impacted consumers, Equifax set up a website--but it was not ready for days. When the company offered free credit-monitoring services to those affected by the breach, it initially required enrollees to waive their right to sue--and after Equifax's initial statement, CEO Richard Smith did not publicly address...