The Cost of Data Breaches

  • 10 Jul 2021
  • 5 Mins Read
  • 〜 by Wanjiku Mwai

Growth of Technology

Kenya’s digital landscape has grown immensely amid the Covid-19 Pandemic period partly due to the reliance of technology as a saving grace. With the growth, new technology and increased internet connectivity has led to an increase in information sharing. This has improved communication networks across the country.

Cybersecurity Statistics

While many Kenyans are increasingly becoming aware of their data protection and privacy concerns, hackers are also at work. The Cyber Security Report by the Communications Authority of Kenya (CA) for the period October – December 2020 showed that the total number of threats detected by the National Computer Incident Response Team Coordination Centre were 56.2 Million. This was a 59.8% increase from the previous period July – September, where 35.1 Million cyber threats events had been detected. Notably, malware attacks were the highest at 46 million, followed by web application attacks at 7.8 million while 2.2 million Distributed Denial of Service(DDOS) during the October period.

A New Dawn

Various data breach statistics show that hackers are driven by the money to acquire data. As companies increasingly experience security breaches, there is a surge of compromised data. Previously, before the promulgation of the Data Protection Act, 2019 Kenya relied on the Kenya Information and Communication Act of 1998 (KICA) which included cybersecurity-related provisions that prohibited various actions that would threaten cybersecurity. The promulgation of the Data Protection Act marked a great milestone in Kenya’s Data Protection and Privacy space. The Act has provisions on data breach among others.

Struggling to Keep Up

Despite the promulgation of the Data Protection Act, companies are yet to prepare themselves fully for data breaches. This is despite the fact that a number of them may become victims of cyber-attacks especially due to the increased uptake in technology and the fact that the Covid-19 Pandemic has forced a number of employees to work remotely.

What is a Data Breach?

A data breach takes place where there is intentional or unintentional access or release of confidential information from a data source to an untrusted environment. The Data Protection Act, 2019 defines a personal data breach as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Currently, companies understand that the cost of a data breach will outweigh the cost of preventive measures. This is evidenced by the fact that organizations have adopted new technologies and systems aimed at reducing the costs.  The technologies and systems are configured to allow huge uptake of data from users therefore a risk to consumer’s data protection and privacy rights.  Notably, a few understand what the bill holds given that the long-term effects of a data breach are hard to measure.

Showing You the Money

The 2020 IBM Security Report on the Cost of Data breaches (“the Report”) breaks down the root cause of data breach into human error including negligent employees or contractors who unintentionally cause a data breach; malicious attacks, which can be caused by hackers or criminal insiders and system glitches.

The Report is based on qualitative data collected through more than 3,200 separate interviews with individuals at 524 organizations that suffered a data breach between August 2019 and April 2020 found that malicious attacks cost an average of $4.27 million, nearly $1 million more than breaches caused by a system glitch or human error.

Stolen or compromised credentials took the lead position as the most expensive cause of malicious data breaches. 19% of the Companies that had suffered a malicious data breach were infiltrated due to stolen or compromised credentials. This increased the average total cost of a breach for these companies by nearly $1 million to $4.77 million.

Remote working during the Pandemic, increased data breach costs and incident response times. 70% of the organizations that worked remotely due to the Pandemic indicated that remote working would increase the cost of a data breach and 76% said it would increase the time to identify and contain a potential data breach. The Reports note that “having a remote workforce was found to increase the average total cost of a data breach of $3.86 million by nearly $137,000, for an adjusted average total cost of $4 million.” Some consider the increase worth the benefit of containing COVID and saving on medical and other staff costs.

Factors Influencing the Cost of a Data Breach

The Report found that 25 unique factors had either a mitigating influence (decreasing the average total cost of a breach) or an amplifying influence (increasing the average total cost of a breach). These factors include, incident report testing, business continuity, employee training, compliance failures and third party breaches among others. On the average cost of a data breach of $3.86 million, it was found that security system complexity, created by the number of enabling technologies and the lack of in-house expertise, amplified the average total cost of a data breach by an average of $291,870. Migration to the cloud was associated with higher than average data breach costs, increasing the average cost by an average of $267,469.

Factors that mitigated the average total cost of a data breach included extensive testing of the incident response plan and business continuity management, decreasing the average cost by an average of $295,267 and $278,697, respectively.

How do you calculate the Cost of Data Breaches?

There are several factors to be considered when calculating how much a data breach will cost an organization. These can be broken down to four key cost centres as follows:

  • Detection and escalation – Activities that enable a company to detect a breach. For instance, assessment and audit services and crisis management;
  • Notification – Once an organization has detected an issue, it notifies the data commissioner as well as the data subjects. The organization will also need to enagage legal experts and regulatory consultants.
  • Lost business – A breach may hit the revenue of a company and cause brand damage issues. The organization will have to embark on activities that attempt to minimize the loss of customers, business disruption and revenue losses
  • Ex-post Response – These are activities done to redress and help those impacted by a breach. Once a breach has happened, and all users affected are notified, there are potential legal costs, fines and other activities to be done in order to restore goodwill such as discounted services.

Other factors to be taken into account include the cost per record and the type of data itself. The cost of personally identifiable information is the highest and also the most compromised. The average cost per lost or stolen record was $146 across all data breaches while those that contained personally identifiable information cost businesses $150 per compromised record.

An example of cost in high profile data breaches in companies includes:

  • Stolen data of 533 Million Facebook users leaked online in April, 2021 – the estimated cost was $3.7 billion. The records included date of birth, locations, full names, phone numbers and some email addresses.
  • It is estimated that the Microsoft breach in 2020 exposed 250 million records containing email addresses, IP addresses, chat logs. The estimated cost was $1.8 billion.

Take Some Action

  • Identify the data processing operations likely to cause a data breach. This can be done by conducting data protection or privacy impact assessment of the organization’s systems.
  • Engage privacy experts to assess the data processing operations likely to compromise the data protection rights of individuals.
  • Engage privacy experts to develop a comprehensive data privacy programme.
  • Engage cybersecurity experts to identify, validate and assess the risk of any data security vulnerability that may exist with the organization.
  • Engage a data protection officer or external data privacy consultant to audit, develop, implement and maintain the organisation’s data privacy programme.