By: Rebecca L. Rakoski, Esquire
Patrick D. Isbill, Esquire
Lack of direction when it comes to regulatory compliance of the protection of data can be consequential and wide-ranging. For business, it can be downright detrimental. According to IBM’s Annual Cost of a Data Breach Report for 2022 released over the summer, it also continues to be quite costly. This is especially true when it comes to delaying regulatory compliance management for data protection and cybersecurity. Every experienced attorney practicing in the area of data privacy and cybersecurity law knows that discussions with corporate decision makers about compliance directly cross at some point with estimates of data breach costs post-cyber event and calculated costs associated with fortifying against any such event in the first place. It is a double-edged sword that can favor positive effects over negative ones if done right. Much like an iceberg floating above the surface though, putting off a company’s cyber assessment of its compliance obligations will likely foretell some rough spots ahead that are characteristically unpredictable in both depth and scope.
Breach Cost Analysis
The 2022 report from IBM, in conjunction with Ponemon Institute, makes some noteworthy conclusions. The global average total cost of a data breach went up (again) and hit the highest level in the history of the report at $4.35 million. For a frame of reference of how costs are evolving, this figure represents about a 2.5% increase from the year before and falls just short of a 13% increase in the last two years. As a comparison, and minus this year, average U.S. inflation rates depending on the calculation and time frame, as well as who is doing the calculation, tend to fall out over time somewhere in the two to three percent range.
Also, there was little surprise in the industry that had by far the highest average cost of a data breach – healthcare – at $10.10 million. It was followed by finance at $5.97 million and pharmaceuticals at $5.01 million. For any experienced attorney who follows a cross-section of industries when it comes to compliance, those sectors that are data driven and highly regulated tend to be at greater risk for a cyber event or data breach. Healthcare breach costs are among some of the most expensive for those same reasons. According to the report, average breach costs for healthcare have remained the highest for the past twelve consecutive years and increased by a staggering 41.6% related to the study since two years ago.
Starting Point to Directional Compliance and Cyber Readiness
Corporate compliance and cyber readiness start with putting together an experienced legal team who knows how to take into account the unique business needs and structural blueprint of a company. The recognition of direction and its value cannot be overstated. It requires a practical understanding of the growing and complex data protection regulations that now exist, plus the ability to also apply these laws and statutes to the company seeking compliance under a framework suitable for its industry and objectives. Costs of a data breach keep rising, and companies simply cannot afford to be complacent or reliant on instability. Generic off-the-shelf, out-of-the-box, and/or cut-and-paste solutions are acutely inadequate. All in, legal solutions should be focused and tailored to address the unique cybersecurity and data privacy needs of the company and industry sector it occupies while incorporating the demands of technology know-how.
The first that often stands out is strengthening corporate cyber defenses. Its immediacy makes it irresistible as an initial step. This solution is undoubtedly necessary but can also be a legal minefield if allowed to be unbounded and undefined, and if allowed to supersede or overwhelm sometimes more practical and less costly solutions. Artificial intelligence (AI) is a well-known buzzword in technology news these days and for good reason. According to the 2022 report from IBM, an AI security mitigation platform, e.g., one that identifies/contains breach attempts, analyzes suspicious IP addresses, monitors aberrant behavior of system users, and so forth, tops the list of “cost mitigators” to impact the average total cost of a data breach, saving a total of $300,075.00 related to the mean cost. And if that is not striking enough, consider that the average cost savings for organizations with fully deployed security AI and automation is $3.05 million compared to organizations with no security AI and automation deployed. This considerable dollar amount is in conjunction with the finding that it took organizations with no security AI and automation deployed on average an additional seventy-four days, or over two months, to identify and contain a data breach.
Checking in as the third largest “cost mitigator” from the report is the formation of a sound incident response (IR) team. The impact of this factor on the average total cost of a data breach is a savings of $252,897.00 to the mean cost. These response teams are generally tasked, although there can be variations among different corporate structures and corresponding/overlapping industries, with responding to system security breaches, data compromise, surreptitious infiltration, and any other digital incidents in this example that could potentially rise to a catastrophic level. From a legal perspective, individuals comprising the team, who will be called to work closely with IT professionals in a technology-based moment of fast-paced, abstract decision making, should include but are certainly not limited to general corporate counsel and experienced outside cybersecurity and data privacy counsel.
Rounding out the top five, but no less important or potentially impactful, is employee training. This “cost mitigator” reduced the average total cost of a data breach by $247,758.00. Employee training is a foundational piece to enabling a security and privacy program. Often valued as a company’s most important asset, employees can also shift into an immeasurable legal liability if certain advantages of implementing scientifically targeted cyber awareness training are not examined. Training should not however be viewed as simply a clinical exercise. It must be understood as a metric and implementation must allow for adjustment in order to take into account behavior and perception. After all, a company is only as successful as the strength of its personnel. Using employee training specific to statistically patterned behavior points as part of the analytic can significantly impact and thereafter reduce the odds of compromised systems from a cyber breach, or mitigate the overall effects through fixed containment. In short, it is easy to see an argument being advanced for why this cost-influencing factor in the coming years could overtake AI security platforms someday as the top “cost mitigator” to impact the average cost of a data breach for such a study.
So the bottom line is always the bottom line. Regulatory compliance for an organization can seem and is costly. And will likely seem and be more so without proper direction and an overreliance on sterile theory rather than concrete understanding. A data breach is however almost universally acknowledged as costlier. Defensive solutions, i.e., the formation of an IR team and employee training, can be just as effective and/or necessary when coupled with offensive ones, i.e., AI security-based platforms that may or may not include in the future the still illegal for private industry but much discussed and currently debated abilities to “hack back.” But a company should not fall into the trap of playing a numbers game. Granted, each solution has its advantages which may or may not fit with the company’s endgame and must be weighed before application. Nevertheless, it is important to keep in mind that more applications coupled with directionless spending do not guarantee greater security protection, nor do more applications increase the probability of avoiding legal liability and/or compliance violations.
Attack vectors were also a notable part of the report, finding that stolen or compromised credentials were the most frequent initial attack vector associated with data breaches followed by phishing and a host of others that includes social engineering. While social engineering lagged further behind and measured at under 5% when it comes to frequency, it is arguably the category most likely to see a surge in subsequent studies, especially after its increasing use in recently publicized cyber breaches experienced by Uber, Twitter, and Morgan Stanley. There is an argument too that it can by definition be combined with the top attack vector – stolen or compromised credentials – since it is a prime objective for success of such an attack.
Corporate cyber risk assessment and mitigation are avenues to forecast some of the unpredictable rough spots lying beneath the surface on a company’s route forward. When mapping out regulatory compliance, all three solutions, i.e., AI security-based platforms, the formation of an IR team, and employee training, can go a long way to lowering a company’s legal risk profile and mitigate its projected average total cost should it incur a data breach. But some or even most solutions cited in the report may not be the right fit for every company, and each solution regardless of whether it was mentioned needs experienced directional compliance management before it can be sketched to the company’s structural blueprint.
Addressing the cost of a data breach paradigm therefore takes a firm understanding of how technology influences the decisions of corporate governance with compliance oversight dictating any legal restrictions. It is the fusion of these three intersecting vectors that favors strategic outcomes over rote reactive ones. Ultimately next level thinking for the compounding of business, law and technology that goes well-beyond surface proclamations when it comes to regulatory compliance laws related to data protection and where you either lead with direction or fall behind.
Reprinted with permission from the November 18, 2022, issue of the New York Law Journal. Further duplication without permission is prohibited. All rights reserved. © 2022 ALM Media Properties, LLC.
This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.