Data privacy has all but dominated the news over the past few weeks. Facebook and Cambridge Analytica, the Uber breach, and the discovery of vulnerabilities in the Jollibee delivery portal are just a few examples.
I often find myself amazed at the immense cost of data breaches on corporations. Every second, 58 data records are stolen. In the time it takes me to write this article, over 100,000 data records will have been accessed and stolen. Per day, close to 5 million data records are lost or stolen, according to the Breach Level Index.
In 2016, a study by the Ponemon Institute and IBM reviewed numerous cases of data breaches and computed the costs suffered by companies in various industries.
Data breaches cost, on a per data record basis, $355 (P18,419) for the healthcare industry, $246 (P12,763) for education entities, and $221 (P11,466) for banks and financial institutions. Let me emphasize that again, this is a cost on a per data record.
Of course, you could argue that the costs in these industries are high given that they deal in sensitive personal information. A person’s finances and health conditions are highly confidential and, therefore, cost a significant amount due to a breach.
However, even the costs in other less sensitive industries are likewise high. A breach would cost retail industries $172 per data record (P8,924) while communications would incur a cost of $164 (P8,509) per data record.
Consider that in the case of the 2016 Comeleak, the largest government-related data breach in recent history. The full names, birthdays, home addresses, and for OFWs, their passport numbers, were breached and published by hackers online. A total of 55 million Filipinos were affected.
Let’s consider the OFWs alone, for example. Passport information from about 1.3 million OFWs was published in that incident. Renewing To renew a passport today costs about $22 (P950), amounting to a staggering $28.6 million (P1.48 billion).
Clearly, data breaches are a serious matter.
On average, data breaches cost companies $4 million (P207 million). The largest component of that is in lost business due to the breach, averaging $1.6 million (P84.57 million). Industries that rely on the trust of their customers clearly cannot deny that the opportunity losses would be staggering if customers shifted their businesses to other firms and entities due a breach.
The second largest component is in ex-post response, having to deal with the effect of the breach after it has occurred, such as investigations, PR and crisis communications, and legal fees.
Take for instance, the Ashley Madison breach. It was a website promising confidentiality and banked on a hush-hush mentality, as it connected people for affairs and for those with certain sensitive sexual proclivities. In 2015, hackers broke into their databases and released the information publicly, resulting in more than personal embarrassment for the account holders as data subjects. Some committed suicide, in fact. As a result, the company had to fund a class action settlement in the amount of about $11.2 million, or over half a billion pesos.
In March of this year, a company called We-Vibe wanted to bring its sexual toys to the digital age by connecting vibrators to apps, thereby enabling couples to spice up their intimate lives in a technological way. While not suffering a breach, it became apparent that the company was collecting the intimate data generated and the company was sued. It has agreed to pay a settlement of almost $4 million, or a little over P207 million.
We clearly live in a highly digital age. Our reliance on data is simply a way of life. There is now that underlying obligation on those companies to whom we give our data to protect it the best way they can, or suffer the clearly expensive consequences.
A final word, I quote Atty. Francis Acero, a long-time friend who works in the National Privacy Commission. He said, “Compliance, in data privacy, isn’t about getting away with the minimum. It’s about doing your utmost. Anything less is not compliant.”
Wise words indeed.
The author is founder, CEO, and counselor for Compliance, Trade & Investment, and Government Relations & Public Policy at Caucus, Inc., a multi-industry, multi-disciplinary consultancy firm. He is an MBA graduate from De La Salle University, obtained his Juris Doctor from Far Eastern University, and LLM in International Commercial Law from the University of Nottingham, United Kingdom. He was a Chevening-HSBC UK Government Scholar, a Confucius Institute Scholar, and an alumnus of the US State Department’s International Visitor Leadership Program. He teaches at the College of Law of the Pamantasan ng Lungsod ng Maynila and at the College of Arts and Sciences of Miriam College. The author may be emailed at firstname.lastname@example.org