Generally, the purpose of awareness holidays like Data Privacy Day is precisely that: to raise awareness. This year, the BreachRx team asked a potentially controversial question: is privacy awareness enough?
As consumers, we all know that ecommerce sites and advertisers track our actions and preferences in many ways, but how many of us have truly changed our behavior? Similarly, most organizations know that privacy is important, especially on Data Privacy Day. But has that knowledge changed the actions that business and investors take?
Over the last few weeks, we deliberated with each other and our peers, swapped notes with customers and other industry-leading companies, and volleyed opinions with our advisors and board.
Our majority agree: awareness needs to be converted into action. Today, we celebrate Data Privacy Day by exploring exactly how businesses and investors can take action alongside mounting privacy innovation — and harness the current landscape’s large, low-hanging opportunities to fundamentally evolve privacy.
The contradiction of corporate privacy and security spend
Businesses annually invest enormous amounts of money on cybersecurity to defend themselves from breaches, but when breaches inevitably occur, the bulk of post-incident cost is related to legal and privacy. Data from annual Ponemon Study reports underscores this contradiction between facts and behavior.
Over the last three years, the average corporation spent:
- 73% of incident-related resources on legal and privacy in 2019
- 76% of incident-related resources on legal and privacy in 2020
- 79% of incident-related resources on legal and privacy in 2021
Clearly, spending only on legal and privacy after incidents and breaches occur will continue to escalate costs. Enterprises are likely to spend 80% or more of post-incident resources on related privacy and legal activities in 2022.
If 80% of incident costs and problematic contributors are related to legal and privacy, why would teams allocate resources only after breaches happen, and why would they focus preemptive investments on security? New spending habits are needed to deescalate the number and cost of incidents and truly constrain organizational liability.
If 80% of incident costs and problematic contributors are related to legal and privacy, why would teams allocate resources only after breaches happen, and why would they focus preemptive investments on security?
Proactive privacy readiness investments are urgently required.
Where are VCs on the privacy and security continuum?
Venture capitalists have historically invested disproportionate amounts in cybersecurity over privacy. However, as attention and innovation shifts, and the privacy technology landscape balloons, VC curiosity and investments are, too. Again, the numbers tell this story powerfully.
In 2021, cybersecurity venture investment surpassed $20B ($21.8B), setting new one-year and quarterly records — and records for size of deals and number of rounds.
To put these sums into context… Whereas VCs poured $2.8B investment dollars into security in Q4 2020, they invested nearly three times that amount ($7.8B) in Q4 2021. Further, 2021’s investments of $21.8B exceeded the $8.9B invested in 2020 by nearly 2.5 times.
Contrast security investment totals with the 230 privacy startups that collectively raised $2.6B via 507 funding rounds across multiple years as of January 2022. That means that 90% of today’s cybersecurity investment is addressing less than 20-30% of the challenges businesses around the world face from incidents and breaches.
That means that 90% of today’s cybersecurity investment is addressing less than 20-30% of the challenges businesses around the world face from incidents and breaches.
Of course, cybersecurity companies matter. In fact, the very best venture firms are active cybersecurity VC investors that support impressive security companies like Demisto, Endgame, Okta, Palo Alto, Phantom, and Socure. The point is not that cybersecurity isn’t important. The point is VC’s privacy opportunity — something that a growing number of firms recognize: Accel, Greylock, Kleiner and other VCs with data privacy investments in early stage companies, such as Transcend.
VCs have a vested interest in preserving the value of their early stage companies and those with substantial intellectual property. Privacy investments don’t just have lucrative individual potential; the overall strategy buffers the entire portfolio.
Privacy innovation and change is escalating
Corporate and VC investments in privacy are becoming only more critical. As we shared in a post with shocking privacy stats, nearly half of U.S. companies have experienced a data breach in the last year. The average cost per breach spans $4M for less than 100,000 records and $401M for a million records or more.
That reality compounds alongside new legislation. While the EU’s GDPR used to be an outlier among privacy regulations, today it is just one of many across the world. In fact, there are now over 180 regulations for data privacy in 128 countries with many more on the way.
There’s also the escalation of insurance costs as coverage narrows. As we shared in our 2022 predictions for privacy and security, some experts “predict cyber rates could reach up to 150% of existing cost structures in certain areas […] while insurance firms slash currently insured areas due to missing expertise and/or marketplace anxiety on their rate-setting teams.”
How enterprises, high-growth orgs, and VCs modernize privacy
Global enterprises, high-growth organizations, and VCs must refocus their attention to align investments with business areas that contribute to privacy readiness. The following are a few steps that leaders in each group are taking today.
- Global enterprises. In the heat of the moment, relying on lengthy playbooks and manual processes won’t work. Large financial services and healthcare companies, as well as government contractors under Congressional pressure, require predefined processes, frequent table tops, and automated response technology.
- High-growth organizations. Given the reality of budgets and talent shortages, throwing more humans at the privacy problem is an untenable solution. Growing companies instead look for lean, technology-assisted ways to prepare for privacy readiness. This is particularly true for companies in financial services, high tech, healthcare, and digitally-driven, critical infrastructure — and is likely a big reason why year-over-year spend on privacy technology is up 30%, according to IAPP-EYY Annual Privacy Governance Report 2021.
- Venture firms: Tier 1 firms who invest in security and privacy, as well as venture specialists in regulated markets, are re-assessing their investment allocation strategies between the two sectors. As they do, they’re recognizing privacy investments’ return potential.
Will this year’s Data Privacy Day inspire the action that its awareness goals deserve? Probably not yet. But one thing is clear: new ways of thinking and acting are rapidly emerging to address today’s increasing innovation, change, and growing number of data breaches and privacy incidents.
We believe breaches shouldn’t end businesses. Do you feel passionate about that, too?
If so, we’d love to invite you to apply to join our growing community of CPOs, GCs, and privacy executives. Each month we get together to discuss timely, crowd-sourced topics, network, and learn from topic experts.
Join the Privacy Coffee Talk
