In 2019, medical testing firm Quest Diagnostics reported a data breach that led to the theft of 11.9 million patient records. Soon after, another medical company, LabCorp, lost 7.7 million patient records in a data breach.
Both companies blamed the American Medical Collections Agency (AMCA), which had access to the records, for the breach. In the aftermath, AMCA spent over $3.8 million USD sending notifications to more than 7 million people whose records had been hacked. They also spent more than $400,000 on consultants and IT experts.
Under the weight of these expenses, AMCA was forced to lay off most of their employees, reducing their workforce from 113 to 25. Finally, they filed for bankruptcy.
This sad story is not an isolated case— especially with the growing threat of ransomware, more and more devastating data breaches are happening all the time. This leaves many people wondering what data breaches cost and why.
Knowing the answers to these questions is helpful both for raising awareness about the importance of cybersecurity, and for taking steps to minimize damages in the event of a data breach.
What do data breaches cost?
The cost of a data breach can vary widely depending on multiple factors, including the type of data compromised, the amount of data leaked, and the relevant laws and regulations.
Regional Variation
The global average cost of a data breach stood at around $4.35 million in 2023. This varies by country— the United States has some of the highest costs, with an average of over $9 million, while in Brazil the average is just over $1 million.
Industry
Costs also vary by industry. Healthcare data breaches, for example, carry significant additional costs, and so do financial data breaches.
Costs can also be high in the technology and pharmaceuticals industry, since leaked data can include proprietary information. Any company that stores the billing data of a large number of customers is also at risk for above average data breach costs.
Type of data
The type of data involved can have a big influence on costs.
Data exfiltration
Data exfiltration or double extortion is an increasingly common feature of ransomware attacks. This can be worse than other data leaks, because it is specifically targeted to intimidate the victim.
In some cases, ransomware gangs will even call up a victim’s customers and start harassing them to put more pressure on the victim to pay a ransom. They can also threaten to hand over sensitive information to competitors.
The costs of regulatory compliance and fines is the biggest burden in most data leaks, but in ransomware cases, ransom demands can add even more financial damage.
Reputational damage
Reputational damage resulting from a data breach can be hard to calculate, but still devastating. Having to contact customers and explain that their private data has been compromised can destroy trust and lead many to take their business elsewhere. Being featured in the media makes matters even worse.
Productivity loss
Ransomware attacks in particular can cause major productivity losses. Ransomware encrypts compromised data, making it difficult or impossible for employees to work, but overhead like salaries and rent is constant.
Especially in the retail and industrial sectors, downtime can translate to a lot of lost sales or production.
Fines and penalties
Not handling a data breach properly, especially failing to report it in a timely fashion, can lead to major fines. You can also be fined for deliberate neglect of cybersecurity vulnerabilities that lead to a breach.
Fines can get quite high— credit reporting agency Equifax agreed to pay $575 million in fines for failing to patch a vulnerability and not informing the public for weeks after the leak of millions of records.
How to minimize data breach damages
A few fairly basic steps can seriously reduce the damage done by data breaches.
Prevention is better than cure, so a strong cybersecurity stance is your first line of defense. It’s also important to prepare for the worst— having an incident response plan in place is key.
A good incident response plan should assign roles and tasks in the event of a data breach, including determining what data is compromised and whether or not there are regulatory requirements to follow.
A good encryption policy can also be a big help. If data is encrypted and hackers can’t access encryption keys, the data they access will be useless and can’t be used to harm your customers.
These steps may not eliminate the costs associated with a data breach, but they can translate to saving large amounts of time and money.