I
n late September 2016, we learned that Yahoo’s servers
had been breached and upwards of 500 million users
had bits and pieces of their private information stolen,
much of which later ended up being sold in dark web
marketplaces. The breach had occurred 2 years earlier,
with Yahoo largely unaware that there was even a problem.
The Yahoo breach is the tip of a very, very large iceberg. Just
the month before, Dropbox announced that it had also been
hacked (again, some years earlier) and that user information
for 68 million account holders was pilfered away. The list goes
on and on, and the number of users exposed consistently reaches
well into the millions.
Despite the huge numbers of compromised accounts that
come along with every data breach, most people actually indi-
cate that they have never been notified that their private infor-
mation has been compromised. The 2016 CIGI/Ipsos Global
Survey on Internet Security and Trust(http://tinyurl.com/
jl8kzh6) makes this point plainly. Across more than 24,000
respondents in 24 different countries, only 27% of people indi-
cated that they had ever been notified that their personal data
was compromised in a data breach.
The numbers get even weirder from there. Of those who
did know that their data was exposed, few suffered any serious
personal financial costs. Fully 47% of people, for example,
reported that they suffered zero financial cost as a result of the
data breach. Another 44% reported that the financial costs
amounted to a small amount, ranging from 1¢ to $999. Summed
together, these numbers indicate that for upwards of 91% of
people, data breaches impose only a very small personal finan-
cial cost.
With these two sets of numbers at hand, it is tempting to
think that data breaches and online crime, despite being head-
line-grabbing stuff, are not really that large of a problem for
individuals around the world. But there are at least four reasons
why online crime and the theft of personal data remains a
massive issue that is likely to get even worse as more and more
of our daily lives shifts online.One of the reasons is financial. A second has to do with
patchy disclosure laws. Another has to do with the importance
of privacy, and the last involves a somewhat more ephemeral
notion of trust. Combined together, these reasons are mutually
reinforcing and strongly suggest that more needs to be done
by companies, individuals and governments to fight back against
cybercriminals.
Let’s unpack the first of the reasons. While 47% of survey
respondents indicated that the theft of their personal data did
not cost them even a penny, how much these crimes cost overall
matters, too. As Fen Hampson and I point out in Look Who’s
Watching: Surveillance, Treachery and Trust Online , when you
add up all the individual financial costs of data breaches, the
result is a fairly massive price tag. Because respondents were
asked to put their estimated financial loses into categories, we
were able to estimate the minimum, the average and the
maximum potential cumulative cost of people’s lost data. At the
minimum end, assuming everyone paid the smallest amount
for their indicated cost range, the price tag could still be as high
USD$5.4 trillion. The average case, where some paid at the
high end, some at the low end and some in the middle, worked
out to a whopping USD$10.6 trillion. If we assume the worst –
that everyone paid at the top end of their chosen range –then
the cumulative cost of data breaches is potentially as high as
USD$15.7 trillion.
Small costs, while they might seem minor in isolation, can
add up very quickly when there are hundreds of millions of
people being affected. Clearly, the initial idea that cybercrime
might not be a huge problem financially is simply not true.
People might also not have been notified that their personal
data was breached, and herein lies the second reason why a
figure like 27% should not be taken as a sign that there is not
a problem. Some nations have laws surrounding the disclosure
of data breaches to those affected by a breach. Others don’t.
Sometimes, too, those rules apply to certain sectors like, health
care, but not to others, like retail. This patchwork quilt of data
breach disclosure rules means that just because only 27% of32 ||MAY/JUNE 2017
Why Personal Data Breaches
Are a Growing Problem
ERIC JARDINEWhile most people whose online data have been compromised report little or no financial
consequences, the overall cost runs into trillions of dollars even before the loss of trust in e-
commerce is factored in.