What’s the true cost of a data breach?

Loss of earning ability and revenue due to data breach

After a March 2023 data breach restricted Latitude Financial’s ability to earn income for over a month, the financial services provider shared some eye-watering estimates in an ASX filing: a forecasted first-half statutory loss between $95 million and $105 million. They’re also setting aside $53 million for post-cyber incident expenses.

[Note: in August 2023, Latitude reported a $98 million statutory loss, and $76 million in pre-tax costs and provisions relating to the incident.]

But those numbers don’t include “the potential for regulatory fines, class actions, future system enhancements or an assumption of insurance proceeds.” That’s a notable exception considering the organisation faces a first-ever joint investigation from the Office of the Australian Information Commissioner (OAIC) and New Zealand’s Office of the Privacy Commissioner (OPC). 

Other victims of major breaches have admitted losses that resulted from the incident. Without sharing specific estimates of losses, Optus CEO Kelly Bayer Rosmarin admits, “Had it not been for the cyberattacks, we would have expected our results to be even stronger.” She notes that customers have been returning thanks to the organisation’s transparency and apologetic response, but it’s clear that Optus has felt the financial sting – even if that’s just a matter of diminished growth trajectory rather than total debilitation. 

Data breach costs include fines and class-action suits

Medibank and its 2022 data breach are a perfect case study in the ways that adjacent costs might end up even bigger than direct losses. Currently under investigation by the OAIC, the insurance giant could face fines of up to $50 million for its handling of personal information. 

In addition to more punitive fines, the privacy regulator could compel Medibank to compensate impacted customers directly. But that’s not enough for Centennial Lawyers’ George Newhouse, who has claimed that OAIC powers to compensate customers are limited. Newhouse is part of the joint class action led by Bannister Law Class Actions, Maurice Blackburn Lawyers and Centennial Lawyers, which will seek compensation through the courts instead of regulators. To date, the insurer faces a total of four class actions.

While it’s important to note that a class action involving a breach of health records has only succeeded in court once before, Newhouse has suggested that Medibank could be liable for more than $1 billion. Whether or not you believe Newhouse has a financial incentive to play up Medibank’s potential losses, it’s clear that the insurer faces a raft of legal battles that are almost certain to be costly and time-consuming even if the class actions don’t succeed. 

Forensics and reputational damage costs

Some have theorised that customer losses won’t be enough to materially impact brands like Medibank, although the jury is still out, especially amid legal action and regulator scrutiny. But other businesses have seen hits to reputation that could add up to serious financial damage. 

HWL Ebsworth, Australia’s largest legal partnership, is currently playing a high-stakes game of cat and mouse with Russia-linked cyber-criminals. The cyber-criminals claim to have nicked about four terabytes of data, including internal company files, personal employee data and various financial reporting. The nature of HWLE’s clientele – including banks, insurance companies, and all levels of government – has done nothing to lessen the severity of the situation.

In fact, several clients, including the Commonwealth Bank of Australia, La Trobe Financial, and ING Bank, have already packed their bags and removed their files from HWLE, citing concerns about data protection. When information is too sensitive, some customers and clients will move to another provider regardless of the actual scope of a breach – in other words, it’s just not worth the risk. 

But what does that mean for the firm’s bottom line? Estimates are fuzzy because the breach is still playing out, but we know that cyber-attacks can do big damage to Big Law. After cyber-attacks targeting two of its member firms, intellectual property law group IPH estimated a service charge budget shortfall of $4.4 million and $2-2.5 million (pre-tax) incurred for reactive costs like forensics and the remediation of its IT systems. 

Bottom line: a cyber-attack isn’t merely a technological hitch, it’s a comprehensive catastrophe that affects every facet of the business. Let’s just say it’s better to invest in that cybersecurity umbrella before a storm hits. After all, it’s not just about weathering the storm, it’s about avoiding it altogether.