Data breaches could cost UK businesses £20bn

New regulations will significantly raise reporting and financial stakes for companies. Two thirds of customers affected say they would cease doing business with an affected organisation.

London, UK, 25 June 2015: New figures reveal that mid-sized and large businesses could be in line for fines totalling £20bn if they fail to protect their customers from data breaches.

Companies that suffer a breach could face serious financial consequences once new data protection regulations are fully introduced across EU member states.

Data breaches are increasingly frequent and, according to research from Experian, UK businesses appear to be acutely underprepared when it comes to the aftermath. Almost a fifth (17%) of companies have lost confidential information in at least one breach over the last two years and 57% of those affected experienced multiple breaches:

  •          Less than half of the organisations surveyed (47%) would notify their customers ‘as quickly as possible’;
  •          43% would offer a dedicated support team to reassure customers;
  •          Just 16 % say they would financially compensate anyone affected by a breach.

The new rules are likely to significantly raise the reporting and financial stakes. With cyber-criminals becoming increasingly sophisticated, plus unprecedented levels of personally identifiable information now trading online, the problem is not going to go away on its own. 

“The introduction of EU Data Protection Regulation, expected to come fully into force within the next three years, will fundamentally and dramatically alter the data breach landscape. Even in the absence of a strict notification law at this time, it is well within companies’ best interest to put preventative measures and plans in place now. The companies that stay ahead will be those who focus on protecting their customers,” commented Amir Goshtai, Managing Director, Affinity, Experian Consumer Services.

If the threat of a substantial fine isn’t enough, almost two thirds (63%) of people say they would leave an organisation if their personal information was compromised. Customer confidence and loyalty would also be greatly affected with eight in ten Britons declaring that their overall level of trust in an affected company would decrease (80 per cent) and their opinion of the organisation would worsen (79 per cent). More than two thirds (67 per cent) said they would advise their friends and family against doing business with a breached organisation.

The main challenge is that the UK is expected to follow the same upward trajectory that has been observed in the US over the last five years. This means the risks of data breaches will continue to increase at a rapid rate and consequently the repercussions in terms of lost business costs, greater public awareness and reputational damage, will become considerably more serious.

“Tougher regulation will further raise the media and public profile of data breaches. With our data showing that a third of companies currently do not have any kind of response plan in place at all and almost two in ten having suffered a significant data breach in the last two years, it could be a stark wake up call for UK business,” Amir Goshtai continued.

Further insight highlights the extent of the issue, revealing that:

  •          Almost one in five (17 per cent) of organisations questioned had a data breach involving the loss of more than 1,000 records in the past two years. In the US this figure is significantly higher at 43 per cent;
  •          Nearly three in five (57 per cent) of those affected, experienced multiple breaches.  Medium-sized businesses were the worst hit with almost two thirds (61 per cent) reporting an attack between two and five times, compared with two in five (40 per cent) of large businesses;
  •          Whilst almost half of businesses (46 per cent) think it is their responsibility to keep personal data safe and a further 27 per cent believe they and their customers have equal liability, almost a third (28 per cent) place this burden firmly on the customer;
  •          Organisations that have had a data breach in the past two years are far more likely to say it is the customers’ responsibility to keep personal data safe (55 per cent), compared to those who have not had a data breach in the past two years (21 per cent).

 

-       ENDS -

Notes to editors:

Methodology:

ComRes interviewed 400 medium and large UK businesses online between the 22nd December 2014 and 3rd January 2015. All respondents were screened and had involvement or knowledge of their company’s data breach policy.

ComRes interviewed 2,056 GB adults online between the 9th and 11th January 2015. Data were weighted to be representative of all GB adults aged 18+.

 

£20bn figure was calculated as follows: 38,000 medium and large businesses in the UK (BIS data http://www.parliament.uk/briefing-papers/sn06152.pdf).  According to Experian primary data, 17% of businesses say they have had a data breach involving the loss or theft of more than 1000 records containing sensitive or confidential information in the past two years.  17% of 38,000 = 6460 businesses that could be in line for a fine under the new legislation.  Average turnover for these businesses is £61,868,421 and the average fine is 5% of this: £3,093,421. So the total cost to medium and large businesses in the UK is 6460 x the average fine of £3,093,421 which comes to £19,983,499,660

EU Data Protection Regulation sets out a series of provisions:

i) Universal mandatory notification: all data controllers must notify all breaches of personal data to the Data Protection Authority within 72 hours

ii) Fines in the UK will rise from the current maximum of £500,000 to £71,727,114 (€100 million), or up to 5% of annual turnover

 

For more information please contact:

 Experian Consumer Services

Joanne Leahy, Head of PR and Communications - 020304-24089 / joanne.leahy@experian.com 

About Experian

We are the leading global information services company, providing data and analytical tools to our clients around the world. We help businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. We also help people to check their credit report and credit score, and protect against identity theft.  In 2014, we were named by Forbes magazine as one of the ‘World’s Most Innovative Companies’.

We employ approximately 17,000 people in 39 countries and our corporate headquarters are in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and São Paulo, Brazil.

Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended March 31, 2015, was US$4.8 billion.

To find out more about our company, please visit http://www.experianplc.com or watch our documentary, ‘Inside Experian’.