The Burgeoning Data Protection Industry
(Release date: December 13, 2019)
The data protection industry has officially emerged and its growth shows no signs of slowing. This broad industry covers cybersecurity, regulatory compliance, and disaster recovery. Both expenditures on data protection by large organizations and investments in new companies dedicated to data protection have increased dramatically over the last few years. The industry is expected to grow to over $120bn by 2023.¹ Increased cybercrime, increased public awareness of data held by private companies, and new regulations around privacy and data stewardship are all driving industry growth.
State of Investments
The data protection industry is in hypergrowth. At $5.3bn, VC funding in 2018 outsized 2016 funding by 81% was about 20% higher than in 2017.² Additionally, 2018 saw four significant cybersecurity company IPOs by Avast, Tenable, Zscaler and Carbon Black. These four IPOs raised approximately $1.4bn, double the amount raised by the top four company IPOs the previous year.³
According to TD Ameritrade’s Registered Investment Advisor Survey, the number of registered investment advisors that invest in cybersecurity technology jumped from 11% in 2018 to 59% in 2019.⁴ According to the Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac, worldwide spending on information security products and services exceeded $114bn in 2018 and is projected to grow by 12–15% year over year through 2021.⁵ Geographically, the US leads venture capital dollars invested in cybersecurity followed by Israel, the U.K. and then Canada.⁶
Of note, Facebook’s Cambridge Analytica data scandal has driven public awareness of the need for data protection. Cambridge Analytica collected personal private data on up to 87 million Facebook users without authorization. Cambridge Analytica then used this information for targeted political advertising purposes. In March 2018, whistle-blower Christopher Wylie, an ex-Cambridge Analytica employee, shared information accusing Facebook, LeaveEU, and Cambridge Analytica of breaking the law to the advantage of those who support Brexit and Donald Trump. Facebook was ultimately found guilty of two breaches of the United Kingdom’s Data Protection Act of 1998 and fined ￡500,000 (~$640,000) for its part in the Cambridge Analytica scandal.
Governments have taken notice of the need for data protection. The European Union (EU) passed the General Data Protection Regulation (GDPR) in 2016. Through the GDPR, the European Union significantly increased the requirements for appropriate technical and organizational measures for data protection. The fines for failing to put in such measures were also substantially increased. For example, if Facebook’s Cambridge Analytica scandal had occurred after the GDPR’s laws went into effect on May 25, 2018, Facebook could have been fined ￡1.4bn (4% of global sales) instead of ￡500,000 by the Information Commissioner’s Office.
To better enforce GDPR restrictions, the EU implemented restrictions on data transfer outside of its borders. The controller of the data must ensure that the personal data they send has adequate protection by the recipient of this data (either via contractual obligation or by adequate data protection laws in the recipient’s country). At least ten countries have already followed the European Union’s lead by implementing their own data protection laws. Countries whose data protection laws have been deemed by the EU to be of equal standard to that in the EU include Andorra, Argentina, Canada (only commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and Japan.
In the USA, adequacy is recognized by the EU if the recipient of the data belongs to Privacy Shield. Privacy Shield is an opt-in program administered by the International Trade Association within the U.S. Department of Commerce to allow the free flow of information from the EU to its US participants. Apart from this opt-in program, the United States has also begun implementing stronger data protection laws. The number of US states with data protection laws has doubled since 2016 to reflect growing concerns about data privacy. In the US, at least 25 states have laws to address the data security practices of private sector entities. The State of California passed the California Consumer Privacy Act, which becomes Effective January 1, 2020.
These safeguarding measures are necessary as cybercrime is on the rise. The FBI reported that email account compromises cost US businesses more than $12.5bn in losses over the last 4.5 years. In fact, Cybersecurity Ventures predicts that cybercrime damages will cost the world $6tn annually by 2021. This is exponentially more than the global damage inflicted from natural disasters in a year.⁷
Approaches to data protection are varied. These approaches must respond to an evolving threat landscape. However, a few trends have emerged in the data protection industry. Detecting and remediating data breaches is becoming automated. Companies are using third party vendors to automate threat detection and internal policy enforcement. Security automation approaches now include machine learning to classify malicious and benign files. Dynamic policy enforcement now responds to detected breaches by updating default permissions to mitigate the damage caused by a detected breach. These trends are all designed to minimize the time to respond to threats.
Even with these emerging trends, however, it appears that more resources are needed to identify and contain data breach incidents. The average time between when a data breach incident occurs to when it is contained grew 4.9 percent since 2018 to 279 days according to the Ponemon institute’s 2019 cost of a data breach report.⁸ This is despite the fact that time to containment has a dramatic effect on the cost of a breach. The report found that breaches contained in under 200 days were on average 37% less expensive ($3.34 million vs. $4.56 million).⁹ Therefore, the demand for data protection providers will likely remain strong.
As data protection becomes an increasingly important aspect of one’s personal and professional life, analysts expect significant growth in this sector. Data protection will continue to grow and consume a larger piece of corporate IT and operational budgets. For now, there is no abatement in sight for the data protection industry.