It’s no secret that the cost of a data breach is significant for any organization. In Ponemon’s most recent study on the cost of a data breach, the average cost in the United States was pegged at $8.2M. While it’s crucial organizations are aware of these upfront costs, many companies don’t realize that these costs can stretch on for many months and often years.
This trend has become so clear that in its latest data breach report, Ponemon actually added a new section to its annual cost study in which it analyzed the “long tail” costs associated with a data breach, which we briefly highlighted in a previous blog post. Remarkably, the study found that for organizations in highly regulated industries, only 53% of the costs of a data breach were incurred in the first year after the incident occurred. Then, on average, those companies experienced 31% of the total cost of the breach in the second year, and another 16% of the cost more than two years following the incident.
Any organization that has experienced a breach or privacy incident of any consequence has felt the pain of the long tail. However, those that have not experienced an event may not realize that it is important to include the effort and expense of the long tail in the company’s incident response plan and not just the immediate costs associated with forensics, initial remediation, notifications, and credit monitoring.
It’s now a given that any breach has the potential and strong likelihood of bringing regulatory investigations and litigation that will stretch its impact for years. By examining some of the details from large breaches in recent years, you can see how these long tail costs continue to expand both in time and dollar value. In other words, the long tail is getting longer.
In 2016, Yahoo disclosed that it suffered a series of breaches in 2013 and 2014. Initially, Yahoo estimated that over 1 billion accounts were affected; however, by 2017 Yahoo indicated that the string of breaches had actually impacted 3 billion user accounts. Ultimately, the disclosure occurred in the midst of an acquisition by Verizon and caused the acquisition price to drop by $350 million in anticipation of the inevitable long tail costs for future investigations and litigation.
It is difficult to track Yahoo’s actual expenses from the breaches because the full extent of expenses is not delineated clearly in its SEC filings. In its 10-K for 2016, Yahoo estimated that it had spent $16M on the “security incidents.” Yahoo then entered into a settlement with the SEC in 2018 for $35M and in April of 2019 Yahoo entered into a separate settlement for $117.5M. The closest thing to a summation of the costs for the security incidents appears in Yahoo’s SEC Form N-CSR for 2018 which states that the total accrued for the security incidents was $152M, which appears to simply add the value of the two settlements together ($35M + $117.5M = $152.5M).
It is also likely a very large amount of legal and consulting fees were left out of this summation. Assuming the 2019 settlement concludes the costs for those security incidents, which may not be the case, the long tail of costs have continued for 3 years and may have reached annual peak in the last year—much like what is seen in the Equifax long tail breach costs.
In 2017, Equifax suffered a mega breach carried out by Chinese military-backed hackers that resulted in the exposure of 147 million consumer records. Based on its most recent U.S. Security and Exchange Commission (SEC) Form 10-K filing, thus far Equifax has experienced the following costs each year since the breach: $114M (2017), $326.2M (2018), $1.138B (2019). If you take into account the insurance recoveries of $50M (2017) and $75M (2018), the breach has resulted in at least $1.703B in costs over the last 3 years.
The Capital One cyber attack last year was carried out by a former Amazon employee who gained access to over 106 million consumer records. Capital One’s annual report indicates that it spent $72M in 2019 and that it anticipates the total cost could reach $150M. Capital One was able to get $34M of the initial $72M covered by insurance. The disclosure also notes that the company has been named in 72 class action lawsuits. If the settlement of those class action lawsuits plays out like the Equifax cases, Capital One may not truly know the scope of its liability for a couple more years but could easily exceed $1B.
In June of 2019, Desjardins disclosed that it had suffered a data breach involving personal data for 2.7 million individuals and 173 thousand business members. Within two months, Desjardin estimated that the total cost for the breach would be $53M. As the aftermath continued to unfold, however, the Desjardin Chief Executive Officer, Guy Cormier, fired the Chief Operating Officer and the Senior Information Technology Vice President in December. Finally, as of February of this year, Desjardin now estimates that the total immediate cost of the breach has more than doubled to an estimated total of $108M.
Why do data breach costs extend beyond the first year?
After a data breach companies expend resources both directly and indirectly. There are obvious direct and immediate costs such as the forensic investigation, regulatory notifications, customer notifications, contractual notifications, customer credit monitoring, regulatory fines, public relations, attorney fees, and investments to improve their technology architectures and security programs. The longer-term and indirect impacts include a number of costs that won’t show up in a company’s 10-K like brand damage, lost revenue, mistrust from consumers, mistrust from contractual partners, increased cost of debt, increased insurance premiums, and business interruption.
Both direct and indirect costs will extend beyond the first year of the breach, but the financial impacts identified in the above examples mostly derive from the increasingly complex regulatory environment in which companies operate within. There are now data breach regulations in every state within the US and practically every developed country in the world. Many of these regulations not only provide government officials like state attorney generals chartered with protecting the privacy of their constituents the ability to conduct investigations and levy fines, they also open the door for class action lawsuits from these consumers and if amended regulations pass like the California Privacy Rights Act, that door may be opened even wider. In some instances, like that of the Yahoo breach, executives are both being fired and even being named and sued personally.
The Importance of Preparing for the Long Tail
Most organizations realize that data breaches and privacy incidents are inevitable, but many do not realize how preparing for those events can limit the expense and impact of the long tail. Investigations and lawsuits take time to run their course, and it’s well understood in the litigation world that most lawsuits, even those that are far less complex than a data breach, take 2 to 3 years to reach a result. By preparing for the inevitable now, organizations can establish processes and procedures that ensure that they meet all regulatory and contractual responsibilities. The BreachRx platform is designed by privacy and security experts with the long tail in mind. It allows organizations to operationalize the processes needed to handle an incident efficiently and with legal and regulatory compliance in mind and help significantly contain these increasing long tail costs when the inevitable breach does occur.