The true cost of a data breach - what to consider when contracting with a data processor
The global average cost of a data breach in 2018 was $3.86 million, according to the Ponemon Institute’s report “2018 Cost of Data Breach Study: Global Overview”. Although potential fines under the GDPR have been well publicised and have rightly drawn the focus of senior executives across Europe, other costs associated with a data breach sometimes attract less attention. The ancillary costs of a data breach are likely to increase as a consequence of the compulsory reporting requirements of the GDPR. It is important to consider the full potential cost of a breach when appointing (or agreeing to act as) a data processor and negotiating contractual data processing provisions.
Costs of a data breach
Regulators can issue fines of up to €20 million or four percent of worldwide turnover (whichever is the greater) for non-compliance with the GDPR. At the time of writing, the UK Information Commissioner’s Office (ICO) has not issued a significant fine for breach of the GDPR. However, we have seen an increased willingness to levy top-end fines for breach of the (now repealed) Data Protection Act 1998. For example, earlier this year, the ICO fined Facebook £500,000 for serious breaches of data protection law in connection with the Cambridge Analytica scandal. In 2019, we expect to start seeing regulators impose more significant fines, and it will be interesting to see how the new powers are applied.
Even if no regulatory fine is issued, however, the cost of a data breach can be significant. According to the Ponemon Institute’s report, the average cost of a data breach in the UK in 2018 was $3.68 million (slightly below the global average) and the average cost per lost or stolen record in the UK was $148.
The study split the cost into the following four areas:
- detection and escalation (e.g. investigative activities, audit services and crisis team management)
- notification costs (e.g. communication with regulators and letters, emails or general notifications to data subjects)
- post-data breach response (e.g. legal expenditure, issuing new accounts, credit report monitoring and identity protection services, product discounts and regulatory fines)
- lost business (e.g. as a result of system downtime or reputational damage).
Factors found to affect the cost of a data breach included the size of breach or number of records stolen, the time taken to identity and contain a breach, the effective management of detection and escalation costs and the rush to notify without properly understanding the scope of the breach.
Appointing a data processor
When appointing a data processor (or accepting an appointment as a data processor) the full potential cost of a data breach (and not just potential fines) should be considered. The parties should also bear in mind that the controller and processor can be jointly and severally liable under the GDPR for damage caused.
Appropriate due diligence should be conducted and proper controls implemented in light of the potential exposure. It is important to ensure that risk is allocated suitably under contractual data processing provisions (which are required under the GDPR) and it is common to negotiate liability caps that relate specifically to breaches of those provisions. Such liability caps should be agreed in the context of the full suite of liability provisions in the contract. For example, if loss of opportunity, loss of profit or damage to reputation are not recoverable losses under the contract, the recoverable cost of a breach could be considerably lower than it otherwise would be.
How to reduce the cost of a breach
Clearly, the most effective route to cost reduction is to take proper steps to ensure that a breach does not occur in the first place. However, there are numerous steps that can be taken to reduce exposure in the event that a breach does occur. Cyber insurance policies, for example, are becoming increasingly popular. In the UK, as a matter of public policy, it is unlikely that insurance covering GDPR fines is enforceable, although some policies do purport to cover fines. However, insurance can cover the cost of dealing with and mitigating a breach and liability for certain third party claims. Contractual data processing provisions should make clear which party (if any) will be responsible for insuring for cyber risk. The parties should consider this when agreeing caps on liability.
The Ponemon Institute’s report also identified other key factors that tend to reduce the cost of a breach, including:
- appointment of an incident response team (this reduced the cost by as much as $14 per compromised record)
- extensive use of encryption ($13.1)
- business continuity management involvement ($9.3)
- employee training ($9.3)
- participation in threat sharing ($8.7)
- deployment of an artificial intelligence platform as part of security automation ($8.2).
Steps should be taken to ensure that proper processes are in place to ensure that cost-reduction factors are implemented by the data processor and/or the controller (as appropriate) and the data processing contract should make clear how responsibility is allocated between the parties.
Whilst the Ponemon Institute’s report acknowledges certain limitations in the conclusions it draws (for example, because the sampling methods used are not scientific), even if we account for a large margin for error, it demonstrates clearly that the cost of a data breach can be hugely significant, regardless of any fines issued. It is crucial that the risks are properly understood so that only suitable processors are engaged and responsibility for data breaches is allocated appropriately.
For more information please contact Chris Ingram on +44 (0)20 7438 2135 or at firstname.lastname@example.org.
Sponsor Licence Compliance: Key considerations & how to be audit ready
Join us for the third in our series of mini webinars on post Brexit immigration about sponsor licence compliance.
The Future of Property Careers
Join to our panel discussion and Q&A with industry leaders on the range of opportunities within the property and construction sector.
Sustainable Investing: From ESG Integration to Impact Investing
We have a wide perspective on the range of issues that fall within the spectrum from ESG to impact investing.
Liability for costs of repair (City of London v. Leaseholders of Great Arthur House)
Oliver Park writes an article for Lexis®PSL on a property dispute case.
New tax on property developers - consultation paper published
The government published a consultation paper on the design of the new residential property developers tax.
Procuring modular housing: Is MMC becoming mainstream?
Is Modern Methods of Construction becoming mainstream? Read what it means for Development and Procurement here.
Dual class share structures: how do they work and what are the pros and cons?
Dual class share structures allow a shareholder, for example the founder, to retain voting control over a company.
Q&A: Talking the telecoms talk
Georgina Muskett and Jonathan Wills answer queries on Electronic Communications Code agreement.
Property Patter: Navigating the complexities of Pharmacy Property
Pharmacy property is a specialist area which contains many traps for the unwary.
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
National Security and Investment Act granted Royal Assent
The Act establishes a new regime for the review of mergers, acquisitions and other transactions that could threaten national security.
Recent Trends In Firewall Legislation: BVI, Bermuda And Gibraltar
Charles Russell Speechlys advises Waverton on acquisition of Cornerstone Asset Management
Established in July 2010 and with offices in Edinburgh and Glasgow, Cornerstone offers wealth management and financial planning advice.
What do the new Debt Respite Scheme Regulations mean for Landlords and Tenants?
This will provide legal protection from creditors in the form of either a breathing space or a mental health crisis moratorium.
Charles Russell Speechlys promotes five to Partner
The promotions are effective 1 May 2021 and are accompanied by one Legal Director and 15 Senior Associate promotions.
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Charles Russell Speechlys boosts private wealth offering with the hire of an international tax team
Robert Reymond will be joined at the firm by Leigh Nicoll, Emma Tyrrell and Oliver Cooper.
Proposed Takeover Code Amendments – Key Changes
The Consultation Paper has now been followed by a corresponding response paper which made certain modifications to the initial proposals.
Building Back Better: Future Gazing
What’s next for the hospitality industry post-pandemic?