20 years ago, what privacy leader could have predicted that incident response would need to address today’s facts of life: distributed teams, remote workers, cloud infrastructure and a complete shift in the way organizations define and protect the perimeter? At that time, rapid innovation and information storage made headlines and drove investment. Cybersecurity and digital privacy management were afterthoughts.
Today, privacy is paramount; according to a recent Wall Street Journal article, suspected ransomware payments nearly doubled this year. The US Department of Treasury and governments around the world describe the increase as a “critical national security threat.”
General counsels and chief privacy officers are left scrambling for the tools to address the problem proactively. Despite increased IT investments, nearly 80% of senior security leaders say their organizations lack sufficient protection against cyberattacks.
Reactive privacy incident response — in other words, responding to data breaches and other privacy incidents without predefined, dynamic playbooks — no longer works. Privacy executives point to five increasingly critical trends impacting their businesses and careers that compel leaders to act now.
1. The rise of privacy regulations
To keep pace with rapid advancements in privacy, governments around the world have strengthened privacy laws. In the United States, California implemented notification laws for data breaches in 2002, requiring businesses and agencies to disclose when personal information was exposed via a data breach. Since then, other states have followed suit with their own data breach disclosure laws. New York’s SHIELD Act is a recent regulation, for example, with a wide reach.
Global regulation changes have kept pace. Responding to the Facebook-Cambridge Analytica scandal, the European Commission released the first draft of the European Data Protection Regulation in 2012. Australia’s hallmark legislation has also undergone many updates, and Singapore’s PDPA and China’s Personal Information Protection Law just came into effect this year.
Regulatory shifts are likely to accelerate in pace and number. In fact, last week, Gartner issued a prediction that modern privacy laws will cover the privacy information of 75% of the global population by 2023 – a 10% increase in the same prediction made last year. When discussing regulations recently, the US senate said data breaches are at an all-time high.
Need help including privacy regulations in your incident response plan?
Leverage the BreachRx platform to make your plans actionable today!
2. Sky-high costs
Around the world, data breaches cost global companies $4.24M per incident — unless remote work is involved, in which case the average is $1M higher. The most expensive data breaches occur in the U.S. ($9.05M per), followed by the Middle East ($6.93M) and Canada ($5.4M).
When privacy incidents and data breaches happen, organizations have 24 to 72 hours to report the event — or receive hefty fines that can total millions of dollars. Still more concerning is the fact that multi-party data breaches create 26X the financial damage of single-party breaches.
3. Shattered trust and revenue
When data breaches and privacy incidents occur, their direct cost exceeds that of fines and service downtime. Customer attrition impacts short-term revenue and reputation, which in turn negatively influences a company’s ability to acquire new business. Similarly, partnerships and business development suffer, as affiliates distance themselves from the privacy incident.
In August 2021, Zoom reached a $85M settlement for user privacy, for sharing personal user data with Facebook, Google, and LinkedIn and permitting hackers to interrupt Zoom calls. While that figure alone is staggering, the effect on employee, customer and partner trust is perhaps of more concern. Zoom’s share price fell from $559.00 in October 2020 to as low as $255.05 in October 2021, as legal discussions proceeded and the settlement became public. Events such as these are elevating the importance and visibility with company boards.
4. Litigation that lasts and lasts
The litigation following a privacy incident can be just as devastating on revenue, expenses, customer attrition, and brand reputation. It also consumes time and focus, distracting team members from other business-critical priorities.
In the case of large data breaches, privacy incident litigation takes up to five years, on average, and outside counsel comes with a price tag that averages $100M per incident.
For medium-size data breaches, regulatory reporting and litigation generally lasts up to six months and averages between $50K to $100K per breach. While medium breaches cost less, they happen more often. Four or five breaches a year can cost you as much as half a million dollars!
Small events that don’t require regulatory reporting happen, on average, twice a month. They require outside counsel to the tune of $15,000 per incident, which can total $360,000 per year. Regardless of their smaller size, data breach costs shut down 60% of small businesses forever.
5. Limited talent and experience
Today, privacy experts find themselves in similar positions to privacy novices: learning about the new ways they must act. As one privacy executive said in a recent conversation: to the degree that less resources and talent are available for privacy teams, more is required of them. A highly experienced panel of privacy professionals discussing how to build a strategic privacy program at the Privacy + Security forum agreed: “The responsibilities of privacy professionals continue to grow while resources are increasingly difficult to procure.” Human teams alone will not be able to scale to the magnitude of the threat of privacy incidents – they will need tools to help them automate predictable tasks and coordinate workflows.
Fortunately, times are changing. Senior privacy teams understand that they need to put technology and tools in place to address incidents proactively the moment they occur. To learn more, read “5 ways experts are upgrading their privacy incident programs.”