How much does a data breach cost?

Great news if you’re a buyer. For those in the market for stolen data the cost has been decreasing steadily for a few years now. Whereas at the turn of the decade your financial data was worth $100 it can now be worth less than $5. Isn’t capitalism great?

The problem of cheap stolen data
For businesses that hold information on ‘data subjects’ – in essence, any personally identifiable information which means just about every organisation – it should be a worry. Why? Because it shows that the ‘dark web’ is swimming in stolen data. The rules of supply and demand are just the same for criminals as us. This, in turn, means that hackers and the increasingly sophisticated criminal fraternity aren’t finding it that hard to steal data. In fact, for many, simply stealing data is just one component to a whole raft of business operations that deliver illicit profits. Not all criminals are stupid. They are chasing profits, just like you.

For example, this week the ICO has fined an online business £60,000 because thanks to criminal activity all the user data entered including credit cards was secretly being stolen. The company didn’t even know it had been hacked.

Fines for data breach
The bad news for businesses, and we may as well get this bit out of the way first, is that losing data or data breach is not cheap by any means. The UK ICO has increased fines of up to £500,000. Seems a lot? From May 25th next year under the General Data Protection Regulations (GDPR) fines of up to E20 million or 4% of turnover are allowed. Remember that it isn’t just the loss of data that businesses need to be concerned by – merely the breach of data privacy or non-compliance with a robust framework can see you get in trouble.

Other costs to business
In addition, consider the other costs you may incur. Let’s use a small Solicitor LLP of 15 people as an example. What would the cost be if Ransomware hit the network? How quickly could their IT company recover? Two days? If you’re lucky and they had a correctly implemented and tested recovery plan. You do have one of those, right? Imagine no one being able to work effectively for just two days due to data breach. How much would that cost in lost productivity? The median salary of an experienced solicitor is currently £42,289 per annum*.

Our imaginary practice has five of those. Throw in three managing partners (£90,000) and three newly qualified (£27,318) and three paralegals (£18,648). Last, but not least let’s not forget the receptionist who thinks they run the whole company (£15,961). So that makes a daily wage bill of £2,443 and some change. So, two days down as a minimum would cost £4,886 in salary alone. Add in the cost of lost data processing – ie the stuff the backup didn’t backup in time and the actual cost can easily spiral. One small business recently took a week to get systems back online and they are still trying to recover from the lost data and general problems a month later. One company was offline for a week because they had to set up a bitcoin account to pay a ransom and didn’t know how to. Then you need to consider reputational damage. How much would that cost? Well would you trust your solicitor if he had his data compromised? The damage could run into tens of thousands in lost business. But it gets worse. Sorry. Solicitors hold highly sensitive data in many cases. We have already seen examples where instead of money being transferred to vendors it goes to the criminal after a few clicks. In that particular case the SRA gave them a firm rebuke and slap on the wrist of £1350 in fines.

How do you know your data has gone missing
Just for some perspective, the SRA received 99 reports of cybercrime in 2015/16. But would you know if your data was stolen? After visiting countless practices my view is that it would be the exception rather than the rule. Data Security in the legal profession at the smaller end of the SME level (say around 60 users and below) is often a case of ‘we leave it to the IT company’ despite solicitors being strong candidates for attack.

What the law says
All solicitors are obliged to comply with the Legal Services Act (2007), the Data Protection Act 1998 and then from 25th May 2018 the GDPR. You cannot afford to ignore these because the crooks have plenty of ways to obtain to find weaknesses in your network and give you a data breach and the regulators have plenty of ways to fine you. All of a sudden securing against data breach and having the policies and programs in place to manage it correctly doesn’t seem that costly does it?

A pragmatic approach
At this point, some vendors will be rushing to sell you some shiny software that will cure all your GDPR and compliance related ills. It may even make you a cup of tea and cure sore throats. Some are good. Some not so good. Some are pretty appalling. Most are costly. So a more measured, methodical and pragmatic approach is required. Before jumping in or acting on bad advice I would recommend two things – firstly look at what the ICO recommends as first steps. They have published 12 steps you need to do now. The SRA have also published a handy guide to risks and compliance. Due to a combination of internal resource and widespread cloud adoption many companies are struggling to digest and implement these steps. If that is the case you can contact me for a friendly, no-obligation chat that won’t cost you a penny. All of a sudden securing data and having the policies and programs in place to manage it correctly doesn’t seem that costly does it?

(*all salary information from – so don’t blame me!)

Simon Ghent

About Simon Ghent

Simon provides data security consultancy and virtual data protection officer services in the professional services sector. He is a consultant at DG Legal

Leave a comment

Your email address will not be published. Required fields are marked *