Costs of a Data Breach Up to $7 Million Per Incident

Last month, we reported on the New York Attorney General's announcement that data breach notifications to his office were up 40% this year from the same period as last year, with the expectation that this year would see a record number of data breach notifications – expected to be in excess of 1000 as compared to approximately 800 in 2015. Not only are the number of reported data breaches on the rise, but, according to a new study, so are the costs.

In their annual Cost of Data Breach Study, IBM and the Ponemon Institute reported that the costs of a "standard data breach," meaning a breach involving less than 100,000 records, is slightly over $7 million. The cost per compromised record is up to an average of $221, though the cost per record in the health care industry almost doubles that average at $402 per record.

The study looked at 64 companies in 16 different industry sectors. The number of records breached per incident ranged from 5,125 up to 101,520, with an average of 29,611. This represents a 5% increase in the average number of records compromised in a breach from last year. The study purposely excludes review of data breaches involving more than 100,000 records, since those sort of "massive" breaches would not be typical of what most businesses would experience in relation to a data breach event.

This is the 11th year that the Poneman Institute has conducted the study. Based on review of all data over those years, the study identified seven "megatrends" relating to the cost of data breaches:

1. The overall cost of a data breach has not fluctuated significantly over the years, indicating that it is a permanent cost organizations need to be prepared to deal with and incorporate into their data protection strategies;
2. The biggest financial consequence to organizations that experience a data breach is lost business; meaning that, following a data breach, organizations need to take affirmative steps to retain customers' trust to reduce the long-term financial impact;
3. Most data breaches are caused by criminal and malicious attacks, which also take the most time to detect and contain and, thus, have the highest cost per record. The study revealed that 50% of breaches were criminal/malicious attacks, 23% were caused by negligent employees, and 27% involved "system glitches" (IT or business process failures);
4. Organizations recognize that the longer it takes to detect and contain a data breach the more costly it becomes to resolve. As a result, the data suggests that companies are investing in technologies and in-house expertise to reduce the time to detect and contain breaches;
5. Regulated industries, such as healthcare and financial services, have the most costly data breaches because of fines and the higher than average rate of lost business and customers;
6.  Improvements in data governance programs will reduce the cost of data breach, which include items such as creating incident response plans, appointing a "CISO" (Chief Information Security Officer), conducting employee training and awareness programs, and establishing a business continuity management strategy. On the other hand, data breaches due to third party errors, extensive cloud migration, and a rush to notify increased the costs; and,
7. Investments in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches. In this regard, the study showed a reduction in cost when companies participated in threat sharing and deployed data loss prevention technologies.

Expanding on point number 2 above, the study revealed that the "indirect" costs of a data breach are far exceeding the "direct" costs of a breach. Indirect costs include the time employees spend on data breach notification efforts or investigations of the incident as well as costs associated with abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. Direct costs refer to what companies spend to minimize the consequences of a data breach and to assist victims, such as engaging forensic experts to help investigate the data breach, hiring a law firm and offering victims identity protection services. Of the $221 average cost per record breached, the indirect costs comprised $145 while the direct costs were $76.

Along the same lines, another report issued by Deloitte noted that 95 percent of the costs associated with a data breach can actually take place over a period of up to five years, with the value of lost contract revenue and lost customer relationships taking place over the extended time period (versus the initial costs of mitigating the data breach).

As both the number and cost of data breaches have risen, as the study indicates, businesses need to be more cognizant of the fact that there is a permanent organizational cost to addressing these matters. Proactive steps – including relatively simple steps such as data mapping, conducting data security assessments, establishing incident response teams, creating appropriate policies and practices, and performing employee training – can help decrease these costs in the long run and better prepare your organization for when a data breach occurs. This is not a problem that is going away and the more a business is able to do up front to prepare, the better the chance is that the business will survive a data breach event.