Data breach fallout haunts companies long after the fact

Data breaches have become a priority in most business’ cybersecurity agenda. The series of breaches that companies experienced in 2018 emphasized what security experts have warned about – that threats are ever present and persistent.

Last year, even companies with market capitalizations in the billions of dollars like Under Armor, and Marriott fell victim to breaches. One would expect that, given their size, that these companies would be resilient to such attacks. Yet, whatever measures they had were successfully circumvented, resulting in the theft of millions of customer records.

And they’re not the only ones. According to the Privacy Rights Clearinghouse (PRC), 635 organizations of various sizes and from different industries disclosed that they fell victim to data breaches in 2018.

Fortunately, it appears that organizations have heeded the calls to protect their data and infrastructures. Businesses are increasing their investments in cybersecurity by adopting and integrating various data security tools and solutions. Gartner projects that information security spending will exceed $124 billion in 2019.

Enterprises stand to benefit from this growing security-first mindset. Falling victim to a data breach can have devastating consequences. One only needs to track how companies have fared after suffering from major security breaches and see how the fallout can be felt long after.

Response costs

According to IBM and Ponemon, the cost of a data breach now comes at an average of $150 per stolen record. The figure takes into consideration various post-breach activities including investigations, data recovery and restoration, disclosure, regulatory compliance, loss of business, and damage to reputation. Response to “mega breaches” that involve millions of records can easily run up somewhere between $40 million to $350 million.

Depending on the nature of the enterprise, the cost could even be greater. Credit reporting agency Equifax suffered such a breach in 2017 where over 150 million records containing sensitive information such as names, addresses, and social security numbers were stolen.

It has been two years since and the company is still dealing with the aftermath in 2019. The company reports that it has spent nearly $1.4 billion in dealing with the attack, spending heavily on incident response and additional security and data protection.

Devaluation

Data breaches can also cause companies to be devalued. Perhaps one of the best examples of this is Yahoo. The popular web portal was involved in a series of data breaches dating back to 2014 though the incidences were only first disclosed in 2016. It was later revealed that nearly its 3 billion user accounts were affected by the breach.

At that time of disclosure, Yahoo was already well into acquisition discussions with Verizon. Due to the breaches, Verizon was able to complete buy Yahoo with $350 million discount from its initial price of $4.8 billion.

Company share prices can also take a hit post-breach. CompariTech studied the share prices of 24 publicly traded companies that were hit by security breaches. They found that prices dip to a low point 14 days following the incident, falling 2.89 percent on the average.

In the long-term, share prices of the companies studied continued to underperform the market despite posting growth. Within a year, prices rose an average of 8.53 percent but underperformed NASDAQ -3.7 percent. Within two years, grew 17.78 percent but still underperformed the NASDAQ by -11.35 percent.

Even rating systems are now taking cybersecurity into account. Recently, Equifax’s rating outlook was downgraded from “stable” to “negative” by Moody, citing Equifax’s still ongoing response to the hack as a key factor to the decision.

Legal action

Governments and regulating bodies are also coming out with more stringent data protection regulations. The effectivity of the European Union’s General Data Protection Regulation (GDPR) compelled many companies to rethink how they gather, use, and protect customer data.

Non-compliance to these regulations can be costly. For lower level infringements, the GDPR imposes fines of up to €10 million, or 2 percent of the worldwide annual revenue upon non-compliant companies. For upper level violations, the figures can rise to €20 million, or 4 percent of global income. A large global enterprise could easily be fined hundreds of millions of euros should they be found remiss.

Companies can also face lawsuits from customers affected by the breach. Marriott already has been served several class-action lawsuits against in relation to the massive data breach it suffered in late 2018. The cases were filed by past hotel guests whose information were among the 300+ million records stolen from its Starwoods database.

As customers and consumers become more discerning of data protection, legal action against companies affected by breaches has become quite common.

Prevention is key

As such, it is highly important for enterprises to pay serious attention to how they protect data. Fortunately, cybersecurity firms have been constantly developing their offerings. Companies can now take advantage of choosing from numerous solutions that provide advanced persistent data protection, identity and access management, and even training and education to bolster their defenses.

Given what’s at stake, it’s only prudent for companies to make significant investments in cybersecurity considering the long-term effects that falling victim to data breaches bring. For some, the fallout may even be grim enough where recovery might not even be possible.