Data Breach: A danger of third-party data collection

www.idagent.com

Data breach primarily refers to the security incident when private or confidential information is accessed without authorization. Over the years the cost of a data breach has increased. Figure 1, represents the average cost of a breach that increased by 1.5% year-on-year in 2019 and by 12% in a six-year period from 2014 to 2019. Rising data breach costs are driven by lost business and detection & escalation cost components. The dominance of lost business, the leading data breach cost driver for the last five years, represents the growing sensitivity among companies towards such incidents.

One of the industries closely dealing with a deluge of personally identifiable information is the ad-tech industry, and hence, is an important stakeholder in conversions of data breaching and the prevention of the same. With the advent of programmatic advertising and third party data collection, personally identifiable information of consumers and their activity over the internet have exploded.

A study conducted by Ponemon Institute in 2018 reported that 59% of a data breach in 2018 was caused by a third party. In 2018 alone, over a billion records cumulatively were exposed according to NordVPN. The average number of records breached in India stands at 35,636, 39% higher than the global average of 25,575 records.

Another study by Redbud found that 80% of sites visited had vendors dropping non-GDPR compliant third party cookies. When investigated, a key reason that third-party cookies were not counted as personally identifiable information by a large set of vendors. The wide presence of such a process anomaly has shocked many in the ad-tech supply chain.

Fig 1. Global average total cost of a data breach

Fig 2. Data breach cost composition (2019)

The problem is not only limited to vendor operations; many ad buyers are lured to take on the risk because of low-cost audience data available through these third party data collection providers.

In an anonymous interview, a programmatic ad buyer revealed that they ignore the risks and the errors associated with third party data gleaned from exchanges. They believe third-party data helps them get a huge discount on the audience segments which pays off better over the long term.

However, under growing regulatory restrictions, changes are already underway. In 2019, British Airways was fined ~US$ 229 million or 1.5 percent of its 2018 global revenue by the U.K’s Information Commissioner’s Office under the new GDPR. Under it, Organisations found to be not protecting customers’ data can be fined up to 4% of annual global revenue.

Total cost of a data breach by organizational size

Moreover, research has shown that the total cost of a data breach is 1.9 times higher for large organizations than smaller organizations. Although, even for smaller organizations this cost is US$ 2.74 million. (Ref Fig 3.) Hence, ad buyers and other stakeholders need to conduct a cost-benefit analysis which must include the penalty component from increasingly stricter regulations before relying heavily on third-party data collection.

Lastly, increasing scrutiny of the ad tech industry by regulators, especially in the UK and the US, and the recent Google announcement to phase out third party cookies from its browser Chrome may have far-reaching consequences that could alter the industry dynamics fundamentally.

Experts across sectors acknowledge the fact that there is no clear answer regarding the impact of third party cookie phase-out on data breaches. Mr. Sudipto Das, VP Advertising Solutions, APAC at Pubmatic said, “Data breaches are caused by such a disparate set of events and not all will be affected by regulation. Data breaches can be caused by hackers, who get increasingly sophisticated, or rogue employees – both are hard to regulate. However, data breaches can also be caused by poor data handling practices, which can be managed with regulation.

At PubMatic, we are committed to protecting user privacy and take data integrity seriously. We have industry-leading data minimization practices, where we retain only a very minimal amount of information for a short period of time—typically 40 days or less. We also maintain our own infrastructure and do not rely on third parties for our data centers, which gives us more control over our data management.”

Premium publisher networks like Colombia, from Times Internet, are already acting in line with the tailwinds of data privacy, while also giving advertisers’ enough control over audience segmentation.

Overall, the way forward includes a combination of several steps depending on the data breach risk assessment of a business. These steps include strong data governance and security plan, data encryption, data governance due-diligence for third-party vendors, and an internal audit for data breach susceptibility. Businesses that are at high data breach event risk must retain a data breach resolution provider & consultant.

About the author:

Vivek Pandey, VP, Revenue Strategy (Colombia Audience Network)