What are the risks of handling PII?

What are the risks of handling PII?

Data is often touted as the most valuable resource in our digital world, but it can also be a liability. Businesses of all kinds rely on Personally Identifiable Information (PII), which opens up a Pandora’s Box of potential risks — the most significant being data breaches.

16.5 billion accounts have been breached since 2004 (Surfshark)

From healthcare to finance, schools to charities, no industry is exempt from this threat. Unfortunately, data breaches have become an inescapable reality. It’s no longer ‘if’ but ‘when’ you will experience an incident.

In this article we explore the costs that materialise from a data breach, which industries are most targeted, and we share a valuable tool to quantify the potential harm to your business if you become an unlucky victim.

The Major Risk from Handling PII: Data Breaches

In the era of information, where data is ‘the new oil’, the consequences of mishandling this precious resource have never been greater. The primary risk is a data breach.

In Australia, 855 accounts were leaked every minute in Q2 2023 (Surfshark)

A data breach occurs when an unauthorised individual or entity gains access to Personally Identifiable Information (PII). As your business continues to collect, process, and store vast amounts of PII, you inadvertently expose yourself to potentially material liabilities.

The surging use of data has coincided with an alarming rise in breaches. The constant flow of cyber incidents litters our news feed. According to Checkpoint Research, 2022 experienced a 38% increase in attacks per organisation (vs the previous year).

79% of Australian businesses anticipate a breach of customer data in the next 12 months (Trend Micro, 2022)

In this climate of growing threats, data breaches are not just a possibility but an expectation. This sentiment is increasingly echoed worldwide.

It’s more important than ever to prioritise data security and ensure you have robust protections in place. The cost of inaction is simply too high.

Which industries are most at risk of a breach? Are any of us safe?

There are two industries which are most targeted by cyber attackers — healthcare and finance. These two have always topped the charts for breaches since the Office of the Australian Information Commissioner (OAIC) began publishing data on notifiable breaches in 2018, often by a significant margin.

The attraction for cyber attackers is not a mystery. Both industries handle mountains of highly-sensitive information. A single hospital could manage millions of patient records, while banks hold the keys to potentially lucrative financial details. The combined quantity and sensitivity of the data makes these sectors prime targets for cyber attacks.

OAIC Top 5 Industries for Notifiable Data Breaches in Australia (Jul — Dec ‘22)

According to OAIC data for July to December 2022, the top five targeted industries were Healthcare, Finance, Insurance, Legal, Accounting & Management, and Recruitment. These five accounted for over 50% of the 497 total reported breaches.

If your organisation doesn’t fall into one of these categories, you might be inclined to think, “sure, we handle sensitive data, but we’re just a [charity, paediatric hospital, school etc]. No international cyber gang would waste their time targeting us!”

Unfortunately, it is rare for any organisation to be beyond the moral bounds of attackers. Virtually no industry can claim complete safety from cyber threats. For instance:

  • In 2022, the Red Cross charity fell victim to a data breach that exposed the sensitive information of 500,000 vulnerable individuals.
  • The Los Angeles Unified School District suffered a data breach in the same year, with the perpetrators, known as the Vice Society, callously leaking child mental health records and taunting victims online.
  • A cancer-treatment hospital in Sydney couldn’t escape the crosshairs, falling victim to a ransom attack in May 2023.

The stark reality is that every organisation must prepare for a potential breach, regardless of its nature or size. This preparation should encompass not only robust preventive measures but also strategies for damage mitigation in the event of a breach.

What is the cost of a Breach?

Data breaches can wreak devastating harm to the individual whose personal data is exposed and the organisation responsible for handling their PII. The consequences often extend far beyond the immediate financial damage.

Average Cost of a Data Breach by Industry ($m USD), IBM 2022

IBM has estimated that the average cost of a data breach is ~$4.35m USD (equivalent to 6.35m AUD) for an organisation. However, this figure can fluctuate significantly depending on various factors such as industry, geographical location and the duration of the breach.

Diving into industries, unfortunately, it’s bad news again for healthcare businesses, where the average cost is over $10m USD (or 15m AUD). This figure is more than 65% greater than the next highest industry by cost per breach which is finance ($6m USD). Even industries in the public sector, with the lowest average cost, typically face bills over $2m USD — indicating the overall damage will be hefty, no matter the industry.

Regionally, organisations based in the United States face the highest costs, with breaches averaging $9m USD each. These costs are significantly higher than in Australia, which ranks 11th overall, and the average breach costs $3m USD.

What drives the cost of a Breach?

% Breakdown of Data Breach Cost by Segment, IBM 2022

Organisational damages from data breaches stem from the various stages of a breach. There are three main cost areas:

1. The initial detection and escalation of a breach (33% of costs)

The average breach lifecycle lasted 277 days in 2022. Companies with fully deployed security AI and automation experienced a 74-day shorter lifecycle than those without (IBM)
  • Detection and forensic investigation: detection requires advanced cybersecurity tools and expert personnel. If an organisation lacks digital capability or monitoring tools, then it is likely that a breach will last longer and generate higher costs.
  • Crisis management: Managing communications both internally and externally (to investors, customers, regulators, etc.) requires careful planning and execution to minimise damage to reputation and trust. It can often require legal advisors and specialist consultants.

2. The post-breach response (27% of costs)

A breach under Australia’s new privacy legislation faces a minimum penalty of $50m AUD, 3x the benefit of a contravention, or 30% of domestic turnover.
  • Remediation efforts: This can involve system repairs, data recovery, and strengthening cybersecurity measures to prevent future breaches
  • Regulatory penalties: If the breached data was protected under laws such as GDPR or HIPAA, then the organisation may face substantial penalties. The global trend is tilting towards stricter legislation, heftier fines, and stronger enforcement as governments become more proactive in protecting their citizens’ data.
  • (More) Legal expenses: The company may also be sued by affected parties, leading to additional litigation costs.

3. Ongoing lost business (33% of costs)

75% of consumers stated they would refrain from purchasing from any company they don’t trust with their data — even if it was previously their favourite retailer. (Cisco 2022 Consumer Privacy Survey)
  • Reputational damage: The damage to a company’s brand can be long-lasting. The impact can reach well beyond loss of existing and prospecting customers. Supplier relationships, business partners and employees may all lose trust in the organisation, harming their ability to do business.
  • Operational disruption or destruction: Significant breaches can lead to disrupted operations or even total loss of certain business capabilities, resulting in further financial losses.

Case Study: Medibank

Following the 2022 security breach Medibank declared a $26 million (AUD) half-year hit, a figure expected to rise to between $40 million and $45 million over the entire year.

The company stated it couldn’t quantify future losses at the time. However, the share price immediately dropped 18% in valuation. This price drop wiped nearly $2 billion off the market capitalisation — indicating that investors had quantified potential losses, and they were enormous.

While the scale of damage varies depending on the sensitivity of the information and the jurisdiction, the risk of a breach is universal. All organisations need to understand the potential ramifications of a data breach and implement effective preventative measures.

Are you interested in understanding the cost of a breach to your organisation?

Estimating the potential cost of a breach can be a helpful step towards understanding your risk exposure. Investments in data security and privacy are often challenging to quantify, especially because the benefits are preventative. When we avoid a breach it’s hard to know just how much damage was evaded.

Unfortunately, this can lead to underinvestment. In an environment where consumers and regulators are paying increasing attention to data privacy, and potential damages are in the millions, arguably you can no longer afford to not invest in protecting sensitive data.

Thankfully, some valuable tools can help assess theoretical breach costs. For instance, this handy calculator (https://www.at-bay.com/cyber-risk-calculators/) allows you to answer between 3 and 10 questions — depending on how much time you have — to estimate the cost of a breach to your business.

Example Data Breach Cost Calculator

This tool conveniently includes a breakdown of the estimate into categories. For example, the scenario above includes a breakdown for a breach of 10k customer and employee records, covering personal and health information, resulting in a $1.6m USD cost to the business.

If you would like to learn more about what we are building at Onqlave to help protect sensitive data, follow our updates via LinkedIn, sign up to our newsletter or feel free to get in touch with any of our team.