The true cost of a data breach - what to consider when contracting with a data processor
The global average cost of a data breach in 2018 was $3.86 million, according to the Ponemon Institute’s report “2018 Cost of Data Breach Study: Global Overview”. Although potential fines under the GDPR have been well publicised and have rightly drawn the focus of senior executives across Europe, other costs associated with a data breach sometimes attract less attention. The ancillary costs of a data breach are likely to increase as a consequence of the compulsory reporting requirements of the GDPR. It is important to consider the full potential cost of a breach when appointing (or agreeing to act as) a data processor and negotiating contractual data processing provisions.
Costs of a data breach
Regulators can issue fines of up to €20 million or four percent of worldwide turnover (whichever is the greater) for non-compliance with the GDPR. At the time of writing, the UK Information Commissioner’s Office (ICO) has not issued a significant fine for breach of the GDPR. However, we have seen an increased willingness to levy top-end fines for breach of the (now repealed) Data Protection Act 1998. For example, earlier this year, the ICO fined Facebook £500,000 for serious breaches of data protection law in connection with the Cambridge Analytica scandal. In 2019, we expect to start seeing regulators impose more significant fines, and it will be interesting to see how the new powers are applied.
Even if no regulatory fine is issued, however, the cost of a data breach can be significant. According to the Ponemon Institute’s report, the average cost of a data breach in the UK in 2018 was $3.68 million (slightly below the global average) and the average cost per lost or stolen record in the UK was $148.
The study split the cost into the following four areas:
- detection and escalation (e.g. investigative activities, audit services and crisis team management)
- notification costs (e.g. communication with regulators and letters, emails or general notifications to data subjects)
- post-data breach response (e.g. legal expenditure, issuing new accounts, credit report monitoring and identity protection services, product discounts and regulatory fines)
- lost business (e.g. as a result of system downtime or reputational damage).
Factors found to affect the cost of a data breach included the size of breach or number of records stolen, the time taken to identity and contain a breach, the effective management of detection and escalation costs and the rush to notify without properly understanding the scope of the breach.
Appointing a data processor
When appointing a data processor (or accepting an appointment as a data processor) the full potential cost of a data breach (and not just potential fines) should be considered. The parties should also bear in mind that the controller and processor can be jointly and severally liable under the GDPR for damage caused.
Appropriate due diligence should be conducted and proper controls implemented in light of the potential exposure. It is important to ensure that risk is allocated suitably under contractual data processing provisions (which are required under the GDPR) and it is common to negotiate liability caps that relate specifically to breaches of those provisions. Such liability caps should be agreed in the context of the full suite of liability provisions in the contract. For example, if loss of opportunity, loss of profit or damage to reputation are not recoverable losses under the contract, the recoverable cost of a breach could be considerably lower than it otherwise would be.
How to reduce the cost of a breach
Clearly, the most effective route to cost reduction is to take proper steps to ensure that a breach does not occur in the first place. However, there are numerous steps that can be taken to reduce exposure in the event that a breach does occur. Cyber insurance policies, for example, are becoming increasingly popular. In the UK, as a matter of public policy, it is unlikely that insurance covering GDPR fines is enforceable, although some policies do purport to cover fines. However, insurance can cover the cost of dealing with and mitigating a breach and liability for certain third party claims. Contractual data processing provisions should make clear which party (if any) will be responsible for insuring for cyber risk. The parties should consider this when agreeing caps on liability.
The Ponemon Institute’s report also identified other key factors that tend to reduce the cost of a breach, including:
- appointment of an incident response team (this reduced the cost by as much as $14 per compromised record)
- extensive use of encryption ($13.1)
- business continuity management involvement ($9.3)
- employee training ($9.3)
- participation in threat sharing ($8.7)
- deployment of an artificial intelligence platform as part of security automation ($8.2).
Steps should be taken to ensure that proper processes are in place to ensure that cost-reduction factors are implemented by the data processor and/or the controller (as appropriate) and the data processing contract should make clear how responsibility is allocated between the parties.
Whilst the Ponemon Institute’s report acknowledges certain limitations in the conclusions it draws (for example, because the sampling methods used are not scientific), even if we account for a large margin for error, it demonstrates clearly that the cost of a data breach can be hugely significant, regardless of any fines issued. It is crucial that the risks are properly understood so that only suitable processors are engaged and responsibility for data breaches is allocated appropriately.
For more information please contact Chris Ingram on +44 (0)20 7438 2135 or at email@example.com.