Data And Trends

 

According to the ITU, the Internet passed the 3 billion user milestone in 2015, with just over 3.2 billion users worldwide by the end of the year. While this highlights steady growth, there is work to be done to bring the Internet to everyone, particularly in certain regions.

As of 2015, more than half the world’s population was not yet online (see below). Historical annual double-digit growth levels in the number of users dipped to 8% for 2015. The fact that growth rates keep falling with Internet penetration still below 50% is cause for alarm.

The story is not much better on a regional level. It might be expected that Europe, with a leading 76% of the population online, could withstand a dip in growth rates to 2%. But Africa, which just surpassed 20% of the population online, has also seen growth rates fall significantly, albeit to 15%. This slowdown suggests that connecting the unconnected will take significant and concerted efforts.1

The slowdown in Internet growth rates, particularly in regions that were already falling behind the global average, lends urgency to the Internet Society’s objective to connect the unconnected. There is evidence that existing users are increasingly concerned about privacy and security issues worldwide, and this may start to spill over to new users, who might become more reluctant to go online. If people trust the Internet, they are more likely to use it. Trust is at the heart of the Internet economy, and more and more at the heart of economic growth.2 This lends urgency to our objective to promote and restore trust in the Internet.

Users are increasingly aware of privacy and security issues in general, and specifically data breaches. The number of reported data breaches is increasing, while the full extent of breaches is unknown. The data shows the trend is for outside hackers to attack organisations to gather data for identity theft, which is a direct attack on the organisations’ users.

These breaches have had an impact on users’ trust. In particular, privacy and security issues seem to weigh most heavily on those who are already online. That may be because they have some understanding of the implications of the personal information they are providing to online services, or because they already have had a direct experience with a data breach. The surveys highlighted below show a persistent and growing segment of users who temper their use of certain online services because of privacy and security concerns.

This report also examines the cost of data breaches. At one level, organisations are not complacent about the increasing number of data breaches, which are a significant cost for organisations and society to address. Nonetheless, while spending on cybersecurity continues to rise, there is little available evidence breaches are slowing in number or size. There are also few studies of the direct costs of data breaches on the users themselves, who are often the ultimate victims.

Organisations do not bear all the costs of a data breach. They often do not bear all the financial cost imposed on other related organisations by the breach, and they do not bear all the cost imposed on users. In economic terms these unaccounted for costs are externalities. At the same time, organisations have a difficult time increasing user trust in their services because it is hard to convey how secure their services are to users. In economic terms, this difference in viewpoints is known as asymmetric information.

These economic issues help identify incentives for organisations to prevent data breaches, and form the heart of the issues and recommendations sections.

The interest in data breach trends is fed by the increased number being reported, along with privacy rights activists and data protection authorities helping to raise awareness. A variety of yearly reports focus on data breaches, however they may be covering the tip of the iceberg.

‘There are two types of companies – those who have been hacked, and those who don’t know they have been hacked.’

Common cybersecurity saying

If a company has not detected a breach, it cannot report it. Even if a breach is detected, it still might not be reported. Not all countries require breaches to be reported. Even within those countries, it is unlikely all breaches are reported, as reporting requirements may only apply to certain types of data breaches. Even where reporting is compulsory, not all aspects may be reported. For instance, organisations increasingly do not report the number of records breached.

As a result, the numbers that follow certainly underreport the number and magnitude of breaches at a global level. Nonetheless, even the breaches reported paint a picture of almost steady increase over the past years.

One representative source of data on breaches is the Breach Level Index from Gemalto. Gemalto reported 1,673 known incidents for 2015, with 707 million records known to be exposed. The total number of reported incidents is rising, while it appears the number of reported records exposed fell in 2015.3

However, Gemalto also noted in 47% of incidents in 2015, the number of records breached was not reported. As a result, the number of records breached could be much higher, and it is difficult to determine a trend in the number of records exposed over time.

Other sources reported similar trends. The Data Breach QuickView from Risk Based Security, Inc. shows 3,930 breaches globally with 736 million total records exposed for 2015.4 They note in just under 29% of cases, the number of records reported exposed in a breach were ‘unknown’, up from just over 19% of breaches in 2014. Another source, the Internet Security Threat Report from Symantec, reported 291 known breaches for 2015, involving 429 million records, while in 39% of incidents the number of records breached was not reported.5

While each source reported a different number of incidents ranging from 291 to almost 4,000, at least 429 million individuals were impacted in 2015. It is likely far more were affected given the number of unreported incidents and those reports with unknown numbers of records.

The number of data breaches appears to be rising, along with the number of records breached. However, the numbers do not tell the full story.

It is clear the reports underrepresent the number of data breaches taking place, and the number of records breached, so the full extent of the breaches is not fully known. Many countries do not require breach notification, and even in countries that do, it is possible that not all breaches are reported. And, of course, not all breaches will have been detected. Further, when they are reported, the number and type of records are sometimes not reported or not even known.

Yet, the increasing number of breaches reported does not necessarily mean that organisations are more susceptible to breaches. The Internet continues to grow in the breadth of users and organisations that are online, and in the depth of use, resulting in ever more data collected. So, it is not immediately clear whether organisations are more susceptible to breaches, or whether organisations are better at protecting themselves, but there are more organisations to breach.

One study from the Global Commission on Internet Governance, sponsored by the Centre for International Governance Innovation (CIGI) and Chatham House, concluded, using a variety of metrics, that normalising cybercrime numbers based on growth shows the state of cybersecurity is better than indicated by the absolute numbers.6

Still, this report starts from the view of the user. From their point of view, the most striking argument may be they hear more about the increase in the absolute number of data breaches, and the implications for their personal data, with a corresponding impact on Internet trust levels.

The global number of incidents of data breaches in the Gemalto Breach Level Index are broken down along some key categories:

  • Geography
  • Source of breach
  • Target of breach
  • Type of data breached

Geography

The United States always weighs heavily in these reports, both for known incidents and reported records breached. As shown, the United States makes up 1,222 of the 1,287 incidents in North America (and 73% of the global total). Another report from 2015 shows the US at 40.5% of incidents out of 111 countries reporting at least one breach (with 20.2% unknown geography) and 64.7% of the records breached (with just 1.7% unknown).7

When asked why he robbed banks, it is said Willie Sutton responded, ‘That’s where the money is’. It is tempting to conclude from these data the US is where the records are stored, and there are a high number of data targets in the US, including non-US companies using US data centres. But, it is more likely that the ranking is due to more comprehensive data breach disclosure laws in the US.8

Source of breach

Understanding the source of data breaches is critical to efforts to prevent, detect, and rectify them. While different publications use somewhat different classifications, outside attacks are consistently the top source of data breaches followed by accidental release of data and insider breaches.9

Outside attacks often exploit known security vulnerabilities, many of which could likely be prevented.These include at one end, zero-day exploits that are unknown to the software developer until exposed (giving ‘zero days’ to fix the vulnerability). And, at the other end there are known vulnerabilities for which there are existing patches that have not yet been applied.

The exploited vulnerabilities can be internal to the target organisation, or a related organisation, such as a vendor, whose system is connected to the target and may be more susceptible. A common means to access any organisation is through social engineering, for instance using phishing to trick a user into providing their password or downloading malware.

Many of these outside breaches are preventable. This is discussed further in the issues and recommendations sections.

Target of breach

The following graph indicates the targets of the reported breaches in 2015, as tracked by Gemalto. It shows businesses are the top targets, followed by the healthcare industry, and then government. While government had a lower number of breaches than the other sectors, it had a significantly higher number of known records breached, in part due to a small number of large government breaches in 2015.

Within business, the retail sector represents 13% of all breaches (and 6% of the records), financial services represents 15% of breaches (but just 0.1% of records) and technology represents 6% of breaches (and 12% of records). Other industries are not broken down in detail in this report.

Type of data breached

The report reviews the type of data that has been targeted. Using Gemalto’s definitions, the following categories are tracked:

  • Identity theft, with both the most incidents and the most records
  • Financial access (bank account and credit card), which has a high number of incidents, but relatively few records, at least for 2015.
  • Account access, which represents usernames and passwords to online services such as social media, and sits at around 10% of incidents and slightly more records
  • Existential data, defined as data with national security value or vital to the survival of the business, is also around 10% of incidents and slightly more records
  • Nuisance data, consisting of email addresses and affiliations, is low in the number of incidents but amounts to almost 30% of records

From this report it appears financial access does not represent a significant amount of the total breached records, but the direct financial impact may be lower for the consumer given liability limits on credit cards. Arguably, identity theft is much more significant – also potentially existential for individuals – and represents a worrying number of breaches and breached records.

The number of reported breaches and the number of records breached are rising, and a significant target is the information needed for identity theft. How does this increase in reported breaches impact Internet users who are often the ultimate victim? Does it affect nonusers’ willingness to go online in the first place? Does it impact existing users’ willingness to use certain online services? The results of various surveys illustrate individuals’ attitudes towards privacy and security, and how changes in attitude may impact their behaviour.

A wide range of surveys show existing online users are concerned about security, and claim it impacts their willingness to use services requiring personal information. This includes e-commerce, e-government, social media, and online banking and health services. This is an alarming trend for the growth of the Internet, but it is difficult to confirm whether it translates into lower or more selective usage.

There have also been few surveys of non-users and why they are not going online, particularly in emerging markets. In Brazil, where there are extensive yearly surveys, there is a group of non-users concerned about privacy and security, as shown in the upcoming graph. Other evidence indicates Internet trust is an issue everywhere and may be more significant in emerging countries.

Users are subject to a wide variety of news about privacy and security issues in addition to data breaches. At a personal level, there are risks of viruses and spam that may not be connected to data breaches. The topic of pervasive surveillance clearly has gained significant attention, particularly since the Snowden revelations. It is hard to find out which privacy or security concern is foremost on users’ minds as they answer surveys, or as they engage online.

There are some surveys focusing specifically on the impact of data breaches on consumers, although with a narrow focus on how a data breach would impact their loyalty towards that company, rather than more broad impacts on users’ trust. Nonetheless, they show the impact on trust is significant and represents a business risk companies should take into account.

The repeated news about significant data breaches appears to have raised awareness and interest. For instance, the graph below shows interest in ‘Data Breach’ as a topic in Google Trends, which is based on web searches. The trends show both a rising interest, along with distinct spikes that likely correspond to news of large breaches as users search for more information, or check if they might be victims.

The graph shows search volume by country, compared to the country with the maximum search volume, which is always 100 in Google Trend reports. For the topic ‘Data Breach’, the US dominates. This is likely because of the higher rate of disclosures there. However, these trends are confined to searches in English, and thus do not necessarily represent global interest in the topic.

The Centre for International Governance Innovation (CIGI) commissioned Ipsos to conduct the Global Survey on Internet Security and Trust that reached over 24,000 users in 24 countries in late 2015.10 The results confirmed a greater awareness of privacy issues and corresponding changes in reported behaviour.

57% of the respondents are more concerned about their online privacy compared to the year before; in 2014, 64% reported more concern compared to the year before that. Thus, privacy concerns are definitely on an upward trajectory.

These concerns may only be partially related to data breaches. Some users may be concerned by other factors, including pervasive surveillance or how their data is collected and used by businesses. Nonetheless, data breaches are among those factors that impact users’ decisions about how they use the Internet.

When asked how they changed their online behaviour, only 17% of users said they had not changed their behaviour at all. The rest expressed a variety of changes as shown. While only 11% said they were using the Internet less often, more were changing their online behaviour including providing less biographically accurate information online.

Some users indicated they were taking sensible defensive measures including using commercial antivirus software and not opening emails from unknown sources. This shows a growing awareness among users that they have a role to play in protecting the security of their devices and their personal information.

The following graph shows the responses in each of the 24 individual countries covered by the CIGI-Ipsos survey, to show variations across countries in three key questions of how users are changing their online behavior: using the Internet less often; doing fewer financial transactions online; and making fewer online purchases. In most of these cases, negative responses in emerging countries tended to be higher than the total average, notably in Kenya, Nigeria, Pakistan, and India, while in developed countries, the negative responses tended to be lower than the total average, notably in Germany and Japan.

This lack of trust can have a significant impact on the ability to do business. For instance, the lack of trust in online payments, and fear of online fraud contribute to the high prevalence of cash on delivery (COD) usage for e-commerce in India. This payment mechanism requires the recipient to pay the deliverer for the products, which requires the buyer to be present, marks the deliverers for robbery, and results in many returns, where the buyer simply does not accept the package at delivery.11 Similar issues are arising in other countries where online trust is low, such as Nigeria.12

This lack of trust in online payments, along with other changes such as fewer financial transactions online, challenges both the full potential of the Internet economy as well as the impact it can have on the broader economy.

United States

The US data demonstrates a difference in how trust issues impact the attitudes and behaviour of those already online compared with those not yet online.

The chart shows how US Internet use at home has grown since 1998, from just over 20% to almost 70%. Internet use among individuals is now even higher, near 75%, but not everyone accesses the Internet from home.

Among the declining number of households who do not access the Internet from home, the percentage who cite privacy and security as the main reason for not going online is very low, given by 1.4% of households not online in 2015. This was the least cited reason for households not to go online in 2015.

In 2015, the majority of households not online stated it was because of a lack of need or interest in the Internet, followed far behind by cost concerns, then even further behind by the lack of a computer to use. A small percentage stated it was because the Internet was not available in their area. Another small group said they were not interested in using it at home because they could use it elsewhere.

Instead, privacy and security concerns weighed more heavily on those already online, particularly for those who had already had their online security violated.

Households with Internet users are concerned about online trust, according to a recent survey conducted for the National Telecommunications & Information Administration (NTIA) by the US Census Bureau.13

As shown in the graph, online households had significant privacy and security concerns, particularly about identity theft and credit card or banking fraud. Many had direct experience with such events.

The study revealed an average of 19% of Internet-using households had been impacted by a security breach, identity theft, or other malicious activity in the 12 months before. Further, the more online devices in the household, the more likely a breach, ranging from 9% for those with one device, to 31% for those with five or more devices.14

Those households who had recently been affected by a breach were, not surprisingly, even more concerned about privacy and security risks. While the average concern about identity theft was 63% of households, for those who recently experienced a breach, 70% were concerned about another one occurring.

According to the survey, these concerns about privacy and security lead users to avoid certain online activities. In particular, as shown in the graph, some users expressed a reluctance to make a controversial position online, post on social networks, buy goods or services, or conduct financial transactions. For instance, up to 30% of users reported avoiding conducting financial transactions online. Among those reporting a prior security breach, the percentage avoiding online financial transactions was even higher at 40%.

However, online use of services requiring personal information, notably online shopping and financial services, continues to climb, to almost 70% of those online in 2015. While it is possible, and even probable, that online use of these services would have increased further but for the security concerns, the number of users is still climbing regardless.15

This increase in the number of users should not make organisations complacent about user trust. Prior experience (or even knowledge) of an online security breach impacts user trust. Further, more and more breaches are taking place. It is important to listen to what users are saying, and not dismiss their concerns simply because online transactions are increasing. Users are less trustful, and as the pace of data breaches increases, their concerns should be front and centre for those working to promote and restore trust in the Internet.

European Union

In the European Union, the story is quite similar to the US. Online households across the current 28 countries of the EU climbed to a level now over 80%.

The concerns of the households not yet online are examined below.

Concerns about privacy and security have been climbing over the past years. But, still only 9% of households that are not online cite privacy and security as a concern.

Instead, the top reason cited for not being online is a lack of perceived need, followed by a lack of skills, and then by concerns with the cost of access or equipment. As in the US, privacy and security is the lowest ranked reason for not going online, although at a higher level than in the US.

Like in the US, security concerns in the EU weigh more heavily on those already using the Internet.

According to Eurostat, 25% of European Internet users experienced general security issues on the Internet, including viruses, abuse of personal information, financial losses, or children accessing inappropriate websites.16 With regard to the issues relevant to this report, 3% experienced abuse of personal information, and 3% experienced financial loss.

Some Internet users in the EU cited Internet activities they were not willing to engage in as a result of security concerns, including online banking, e-commerce, social networking, and interacting with public authorities. The greatest level of concern was just under 30%. Further, there was relatively little variation between 2010 and 2015, the two years in which these questions were asked.

As in the US, growth of use of the corresponding services has nonetheless been steady over the years. It is not possible to gauge the impact of the expressed security concerns on use. But up to 65% of Internet users in the EU are now engaging in services that require personal information such as online banking. Of course, that means a significant minority of Internet users are still not using such online services.

Brazil

The Regional Center for Studies on the Development of the Information Society – known as Cetic.br – has been gathering survey data in Brazil over the past ten years. The data provides evidence of the value of detailed long-term surveys in assessing Internet issues in general, and for us in assessing the impact of security concerns on users in markets less developed than the US or the EU.

Over the past decade Brazil made impressive strides, during a period in which household and individual Internet adoption began under 10%, and ended at 50% for households, and over 60% for individuals (who may not always access from home).

Households without Internet access citing security and privacy concerns as a reason for not going online have been climbing relatively steadily over the past ten years, reaching 12% in 2014. However, as in the US and the EU, this was the least cited reason for that year (along with concerns about dangerous content). Instead, households cited a lack of need or interest quite highly, as in the US and the EU, with more emphasis on cost and availability of a computer, as would be expected in an emerging market.17

Key online activities, namely e-government and e-commerce, have been growing steadily among Internet users, albeit to relatively low levels, with only 35% using these services, as shown in the top graphs below.

With respect to e-commerce, the most cited reasons for not transacting online were related to demand, while the same is basically true for e-government services. Nonetheless, as shown in the bottom graphs, security and privacy are factors in decisions not to engage in these online activities and could be holding back the growth of Internet use in Brazil.

Consumer Loyalty

While these surveys cover the broad impact of privacy and security issues on users’ trust, they do not focus exclusively on the impact of data breaches. There are other surveys that focus on this topic, from the narrower lens of impact on users as consumers of the companies who were breached. The results show that consumer loyalty would be shaken by a data breach, representing a significant cost to companies who experience one.

One survey of five countries (US, UK, Germany, Australia and Japan) asked how likely a customer would be to do business with a company that had experienced a data breach in general, involving personally identifiable information, or involving financial and sensitive information.18 The willingness to do business with such a company decreased as the information breached became more sensitive, as one would expect. With respect to financial and sensitive information, the global results are below.

Globally, 40% of respondents said they would never again do business with such a company. Within countries, this ranged from 25% in the US to 55% in Japan. The results are not surprising, yet still sobering.

When asked, a global average of 49% of consumers felt companies are not taking the protection and security of customer data seriously enough.

These results suggest companies have their work cut out for them. Should they fail to justify trust, they will face significant customer loyalty challenges, particularly for losing the most sensitive of personal information.

Summary

People in a wide range of countries indicate a concern People in a wide range of countries indicate a concern with online privacy and security issues. For non-users, there is a small impact on their willingness to go online. For those already online, the concern is stronger and impacts the willingness to use services requiring personal information.

While privacy and security concerns are not yet an epidemic, as more and more users are affected by data breaches, they will become more sensitive to the risks and may reduce their use of the Internet accordingly. This is generally true, but also specifically true with respect to using the services of the companies that were breached.

There is also financial cost associated with these breaches, in addition to the impact on customer loyalty. While the overall costs are significant, organisations may not fully account for the impact of breaches on users, and their trust and use of the Internet. This reduces the incentive for organisations to prevent them

Data breaches have a significant impact on the organisations breached, as well as their users.

For a breached organisation, there are significant costs, both direct and indirect. The direct costs include investigation and compensation to those whose records were breached as well as the cost of recovery. Indirect costs include reputational costs, loss of customers, and negative stock price impact.

Given the increased amount of data organisations are gathering, and the increased risk of breaches, they are spending a significant amount of money on cybersecurity, to prevent, detect and mitigate breaches, and on cyber insurance, for help in the aftermath of a breach.

Connecting the Unconnected

These surveys shed important light on the Internet Society’s objective of promoting and restoring trust in the Internet. They are equally relevant for the Internet Society’s other main goal – connecting the unconnected.

In the US and the EU, the main reason for households not going online is a lack of need or interest in the Internet. This is an accurate reflection that availability and affordability are no longer issues for most of these populations.

Even in emerging Brazil, however, where cost and ownership are primary concerns for households not going online, a lack of need or interest in the Internet is almost as important.

Addressing the lack of need or interest in the Internet has been the subject of a number of recent Internet Society papers focusing on the value of increasing local content to bring people online.19

However, many of the costs of a breach fall on other third parties. For instance, when Target stores were breached for credit card data, the financial institutions bore the cost of replacing the credit cards, and followed with lawsuits to recover losses from Target. Indeed, Target itself was breached through a connected contractor, whose defences were weaker but it may not have borne any of the direct cost of the breach. Even Target customers, whose credit card details were the target of the breach, had to sue for compensation, finally reaching a legal settlement.20

Users do not seem to be fully in the equation in calculating the cost of data breaches, which is of particular concern to the Internet Society. Specifically, users are typically considered in terms of the cost to the organization following a breach, relating to the cost of notification, identity protection, lost business, and discounts to keep customers. However, few studies show the full cost of the breach for users separate from the cost to organizations, in terms of any user liability for fraud, time spent on trying to be compensated for fraud and restore their identity and credit, not to mention the non-financial cost in terms of anxiety and uncertainty).21

In addition to the financial and non-financial costs, another cost not generally considered is the broader impact on the Internet economy resulting from users choosing to limit their online engagement because of concerns about data breaches.

The lack of organisational liability for all the costs of a breach may limit the incentive to stop them.

An accurate estimate of the total global cost of breaches is impossible to calculate. As discussed above, not all breaches have been discovered, and not all breaches discovered are disclosed, in part or whole. Further, even for the disclosed breaches, it is hard to calculate the full costs borne by the affected organisations, the individuals whose data was breached and the cost to society.

Still, Juniper Research estimated in 2015 that the cost of data breaches was around USD 500 billion, and would quadruple to USD 2.1 trillion by 2019, representing 2.2% of global GDP.22

In a recent CIGI publication, Look Who’s Watching, Surveillance, Treachery and Trust Online, the authors estimated the accumulated costs of data breaches in the countries they surveyed to be between USD 5.3 trillion and USD 15.7 trillion.23

Another study by the Ponemon Institute took a more detailed approach. It focused on calculating the cost of data breaches among a sample of 383 companies in 12 countries who had experienced a data breach.24

It looked at breaches that included personal information, including at least a name as well as medical and financial records.

It also included both direct and indirect costs. The former included experts to help with internal forensics, as well as external help for those whose data were breached, such as credit monitoring. Indirect costs included customer loss in the wake of the breach.

This study had the following results for 2016:

  • Average total cost of a data breach: USD 4 million (up 29% since 2013)
  • Average cost per lost record: USD 158 (up 15% since 2013).

The cost per lost record is quite high already – USD 158 – and is an average. In the US it is USD 221 compared with USD 61 in India; while in the health sector the average overall is USD 355 per record compared with USD 80 per record in the public sector.

The greatest cost component for organisations, on average, is lost business. This confirms the impact of a data breach on consumer loyalty. The second highest is the cost of working with customers and remediation, closely followed by the cost of detection.

These breaches can threaten to overwhelm an organisation. One health clinic breached for personal information, including medical histories and social security numbers, publicly announced they could not survive if they had to pay the 200,000 affected patients for credit monitoring services. This leaves the patients with little alternative other than a law suit (which could, of course, have the same impact on the clinic’s finances).25

Given these high costs of data breaches and the costs of other cyber attacks, it is not surprising spending on cybersecurity is high and increasing. The result is a healthy market for those in the cybersecurity business:26

  • Annual spending USD 75 billion in 2015, growing to USD 170 billion by 2020 (Bank of America Merrill Lynch)
  • ISE Cyber Security Index of stocks beat the S&P 500 by 120% between 2010 and 2015.
  • 1 million cybersecurity job openings globally (Cisco) in spite of a salary premium of 9% over other IT jobs (Burning Glass Technologies)

In light of the high and increasing level of losses through security breaches, not surprisingly the cyber insurance market is growing rapidly.

One study has insurance spending at an annual level of USD 2.5 billion, set to triple by the end of the decade (PwC). Within that spending, however, 90% is focused on the US market, leaving significant room to grow in other countries.

Furthermore, the market is quite immature, because of a lack of data on disclosures, and the impact of human behaviour that is difficult to predict.27

Finally, and somewhat disappointingly, there are few studies of the cost of data breaches on the customers themselves. One such study showed a significant proportion of victims of stolen US social security numbers were the subject of identity theft. Each incident resulted in USD 3,300 in losses along with 20 hours of time and USD 770 spent on lawyers.28 It is not clear if these costs were covered in the aftermath of that breach – in general though, users have to fight for compensation.

All data with respect to data breaches are trending upwards:

  • Reported breaches are increasing, with an increasing number of known records breached and more that are unknown in number, meaning an increasing number of people are directly and indirectly impacted.
  • Surveys do not yet indicate a significant impact of reported data breaches on non-users willingness to go online. However, as more users are impacted by data breaches, such as having their identity stolen for profit, more users will hesitate to use online services requiring personal information in general, and specifically stop doing business with a company that has been breached.
  • Finally, organisations are spending more on prevention, but this has not yet noticeably lowered the number of breaches, or the impact and cost of breaches when they do occur. In turn, the cost of breaches, when calculated, typically focus on the cost to the organisation, and not the full cost for the users who were the ultimate victims of the breaches.

These trends cannot be allowed to continue, or accelerate, without significant harm to individuals’ privacy and users’ trust in the Internet, resulting in lower and more selective use of the Internet. This, in turn, has the potential to negatively influence the economic and social impact of the Internet on the broader economy and society.

A number of key issues and recommendations follow in the next sections that could slow or reverse this negative cycle of data breaches and distrust.