According to the Ponemon Institute’s 10th annual Cost of Data Breach Study, the average consolidated total cost of a data breach is now $6.53 million for a U.S. organization, an 11% increase since last year. The study also found that the average cost per lost or stolen record containing sensitive and confidential information rose from $201 in 2014 to $217. These facts alone should encourage every company to tighten its data security policies and capabilities, but there’s more. Key legal and regulatory changes have increased the financial risk to companies with lax data security.
Since no court has yet ruled that the FTC lacks such jurisdiction, the bureau has stepped up its consumer privacy activity, and enforcement actions have skyrocketed. Any organization that deals with consumer information is subject to an investigation.
At the same time, the law is catching up with the real impact of data breaches. A truly game-changing ruling in Remijas v. Neiman Marcus has made it easier for consumers to sue companies after breaches involving their personal data. Historically, even when sensitive information such as credit card numbers, birth dates, government ID numbers and medical records have been accessed, it’s been hard for consumers to sue companies over the breach. Companies have typically been able to avoid these lawsuits by invoking a Supreme Court case, Clapper v. Amnesty International. The case, which was about phone records and national security, required a showing of a risk of “imminent” and “concrete” injury in order to have standing to bring suit.
As a consequence of the Remijas case, however, consumers no longer have to show a risk of imminent and concrete injury in order to file suit, which means that a company’s failure to properly oversee data and how it responds to a breach may be sufficient grounds to sustain class actions by affected customers, whether or not they suffered a financial loss.