8 Shocking Statistics About Data Breaches: What General Counsels and Chief Privacy Officers Can’t Afford NOT To Know About Privacy Incidents

Eight statistics that underscore why data breaches are no longer something to which today’s best GCs and CPOs respond to after an incident occurs.

General Counsels (GCs) and Chief Privacy Officers (CPOs) instinctively understand the magnitude that privacy incidents represent for their business and careers. For this reason, industry leaders are rapidly abandoning a reactive approach to privacy incident management. 

This blog shares eight statistics that may surprise you. All underscore why data breaches are no longer something to which today’s best GCs and CPOs respond after a privacy incident occurs.

  1. 47% of U.S. companies have experienced a data breach within the last year.

While it’s tempting to believe a privacy incident won’t affect your company, your odds are as good as a flip of a coin. Data breaches happen far more often than the mega breaches we all read about in the news, which involve one million records or more.

In the event of a data breach, steer clear of having a response plan that lives inside dozens of pages in Word or a PDF. When an incident occurs, your team is unlikely to have the mindspace or the time to sit down and read it. No one needs that kind of disorganized chaos.

  1. In 2020, the average cost per privacy incident was $4 million for data breaches involving less than 100,000 records — and $401M per mega breach.

Furthering the above argument is the fact that data breaches are increasingly expensive. While the average cost of a breach globally is $4 million, that average expands to $5 million if remote workers are involved — and remote workers invariably are part of the corporate picture these days. 

Even more staggering, in the case of mega breaches involving a million or more records, costs average $401M.

  1. The most expensive regions around the world for privacy incidents involving fewer than 100,000 records include the United States ($9M), Middle East ($6M), and Canada($5M).

Global averages multiply when you double click into specific countries. It’s a staggering number when you consider that the cost of data breaches rose 10% in 2020 alone. That year-over-year increase is the most substantive increase over the last seven years.

  1. Despite hefty fines for delayed reporting of breaches, it takes organizations an average of almost nine months to identify and contain data breaches.

The averages just discussed are exacerbated by the fact that organizations must report a breach in a mere 24-72 hours. Delays incur fines, which mushroom consequences.

  1. Fines are just the beginning. On average, businesses lose $1.52M in customer business in direct relation to a privacy incident.

When data breaches cause system downtime, revenue loss and customer turnover can cascade. On average, data breaches also shave off 7.2% from a company’s stock price.

Longer term impacts cascade as a company’s reputation lingers in the market. In fact, according to the Cisco 2020 Consumer Privacy Survey, 89% of those surveyed said they care about data privacy, and 70% listed privacy management as one of their critical buying factors. Those buyers plan to act on their concerns about privacy by purchasing from companies with good practices in place.

  1. Of all non-penalty costs related to data breaches, a loss of personally identifiable information is the most expensive type.

Consider that the recent T-Mobile breach exposed more than 40 million records, then multiply that number by the average loss per record – $180. That’s over $7.2 billion. 

  1. For all of the prior reasons and more, today’s business leaders list data privacy, compliance, and cybersecurity as top issues to address in 2021.

According to the 2021 ACC Chief Legal Officers Survey, data privacy, compliance, and cybersecurity were listed as the most critical issues for business. Different from previous years, cybersecurity beat out compliance in the top 2021 spot.

Rounding out the story with more numbers: 44% of CEO respondents rank data privacy among top 3 policies most impactful to their business, according to PWC’s 2020 research on top policy trends in data privacy.

  1. Over one-third of GCs and CPOs purchased incident response software last year. 6

Similarly, 15% plan to buy incident response software in the next 12 months. Privacy program assessment and management software is also on the rise. One in five executives purchased a privacy program assessment and management software in the last year, and one in five plan to join them in the year to come. 

Governments care about privacy. Customers demand privacy, and so do shareholders. Is it any wonder, then, that businesses treat privacy incident management as a mission-critical priority?

Many businesses don’t remain standing after data breaches, and the same can be said for the professionals that are responsible for privacy incident management. Don’t wait for a data breach to put a plan into place. 

Prepare for it, so when you respond to it, you’ll recover from it well and fast.

Need help with an incident response strategy?

Leverage the BreachRx platform to build an actionable incident response plan today!


  1. 2021 Thales Data Threat Report, Thales Group
  2. Data Breaches Cost Companies 4.24M Per Incident On Average, CFO.com
  3. Privacy Incident Response KPIs, Jay Cline
  4. Ponemon, Cost of a Data Breach Report 2021
  5. 2021 ACC Chief Legal Officers Survey
  6. How Privacy Tech is Bought and Deployed
  7. Cisco 2020 Consumer Privacy Survey, Cisco
  8. Equifax Data Breach Settlement, Federal Trade Commission
  9. Top Policy Trends in 2020: Data Privacy, PWC
  10. Companies With Security Fails Don’t See Their Stocks Drop As Much, According To Report, Forbes

Recent Posts