Serious data breaches can be extremely costly for organisations when they occur.
Despite this, we find that many businesses are unprepared for dealing with such an event, or have neglected to invest in appropriate measures to prevent them. It can be seen as a “It’ll never happen to us” mindset. After all, it can be easy to put off investing funds into something that you don’t envisage ever happening, whether that be our roof caving in, or a data breach at our place of work, especially when there are other competing priorities for our budgets and resources.
Failing to implement proper measures to prevent breaches and to deal with them once they have occurred can leave organisations in hot water with the regulator and your customers and wider stakeholders.
What is a data breach?
The term “data breach” has a very wide definition, essentially encompassing anything that can compromise the confidentiality, availability or integrity of personal dataInformation which relates to an identified or identifiable natural person.. Breaches come in all shapes and sizes, from simply Cc’ing instead of Bcc’ing an email recipient, to leaving an unencrypted work laptop on a train, to a huge cyberattack which exfiltrates and or encrypts data stored on an entire server network. Obviously, these different breaches present different levels of risk to both data subjects and the organisations that suffer them, and therefore warrant different levels of investment in order to protect against them.
For the more serious of breaches, those that result in a risk to the rights and freedoms of the data subjects affected, the requirement that you have to report these incidents to your supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. (within 72 hours, as required by the GDPR) brings with it the potential for more serious consequences. This is unsurprising given you are obliged to bring your own failings to the attention of your regulator.
Further up the chain of seriousness, however, when a breach results in a high risk to the rights and freedoms of the data subjects, you must inform not only your supervisory authority of the breach but also the affected data subjects – which may well have an adverse on your brand and reputation.
Consequences of a breach – individuals
The effects that a data breach might have on the individuals impacted can range right from no effect at all, through to a slight inconvenience (e.g. having to provide deleted information again), right through to a catastrophic impact. This could include:
These are all considerations that must be taken into account when assessing whether your supervisory authority, and possibly the data subjects themselves, need to be informed of the breach.
Consequences of breaches – organisations
In addition to the potential to cause harm to your data subjects, data breaches can also significantly harm your organisation.
When people first think about the financial loss caused by a data breach, thoughts immediately spring to the potential fines to which organisations are exposed – under the GDPR this is up to €20 million (£17.4 million) or 4% of global annual turnover.
Examples of financial consequences is the Information Commissioners Office’s (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) fines of British Airways and Doorstep Dispensaree. The ICO fined British Airways £20 million for failing to protect the personal data of 400,000 customers. Following the ICO’s investigation, it was found that the breach was preventable if adequate security measures were in place.
The ICO also fined Doorstep Dispensaree £275,000 after it was discovered that documents containing names, addresses, dates of birth, prescriptions, medical information and NHS numbers were left in the courtyard and were not marked as confidential waste. Both of these cases stresses the importance of having good breach management and data protection policies and procedures in place. Doorstep Dispenaree’s case could have easily been avoided if someone was trained in handling confidential waste and they had destruction policies in place.
Even without a penalty from a supervisory authority, the administrative cost of the fallout from a breach and dealing with it can soon rack up. Financial damage can result from the inability to service customers and clients; the costs of re-building systems and networks that have been compromised; having to get expert third party advice on forensic investigations, mitigations and dealing with the breach; and even in compensation claims sought by the affected individuals.
In fact, research conducted by Ponemon Institute and IBM determined that the average financial cost of a data breach to a large business was $4.24million. In short, breaches are expensive.
Aside from the monetary value of a data breach, even relatively “cheap” breaches can cause irreparable harm to an organisation’s reputation, particularly if it claims to value security and privacy.
Thanks to the huge increase in awareness around data protection and privacy rights that has occurred since the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). first came into existence, a large part of which can be attributed to the publicity that large data breaches now command, data subjects are far more critical of businesses and their data protection practices. Data subjects will not stand for the misuse of their personal data, which means organisations are held to account far more and, as we have seen time and time again, individuals are willing to take their business elsewhere if organisations prove to be unworthy custodians of their personal data.
The answer? Invest in prevention
Whilst it is impossible to reduce the risk of experiencing a data breach to zero (they are, unfortunately, just part of running an organisation), investing in measures to protect against data breaches is essential for all organisations, as well as being part of their Article 32 GDPR obligations. What this means for your organisation will depend upon your budget, the size of your organisation, the types of personal data you processA series of actions or steps taken in order to achieve a particular end. and the systems you use, but could include:
Ultimately, whilst investing in data breach prevention at the outset may seem like a big commitment at the time, your future self may well thank you. Because when it comes to data breaches, the old adage is true – prevention really is better than cure.
The DPO Centre offers advice and support on preventing and dealing with data breaches, including the creation of bespoke policies around data breaches and wider information security. We also offer personalised data protection training, delivered both in person or remotely. For further information, please complete the contact form below.
Fill in your details below and we’ll get back to you as soon as possible