In May 2015, the Ponemon Institute released its tenth annual Cost of Data Breach Study, sponsored by IBM. The study sets forth the average calculated cost for each lost or stolen record containing “sensitive and confidential information” as well as the average total cost paid by organizations victimized by lost or stolen data. The study reinforced a number of trends, including the increasing cost of data breaches, the effect of breaches on customer retention, and the rising frequency of criminal or malicious attacks resulting in data breach. It also notes that companies can reduce the cost of data breaches if certain practices are adopted.
Average Total Data Breach Costs Increased By 11% in 2014
The Ponemon study found that the per record cost for a data breach increased from $201 in 2013 to an average of $217 in 2014. Of that amount, $143 pertained directly to indirect costs (abnormal customer turnover, etc.) and $74 went to the direct costs, such as legal fees and further investment in technologies to remedy and prevent future incidents. Based on an average data breach population of 30,000 records per breach, the total average cost paid by an organization post-breach rose from $5.9 million in 2013 to $6.5 million in 2014 – an increase of over 11% in just one year.
Data Breaches in Highly Regulated Industries Are Even More Costly
A second major trend outlined in the report is the variation of costs by industry and sector. Industries that are heavily regulated – healthcare, pharmaceutical, financial, energy, and transportation – tended to have per capita data breach costs substantially above the $217 average:
- Healthcare averaged a per record cost of $398 in 2014 (up from $316 in2013)
- Financial companies saw per record costs of $259 (up from $236 in 2013).
Conversely, companies in the hospitality industry saw average per capita costs well below the average – $135 in 2014. However, though the per record cost was below the average, per capita hospitality costs still rose almost 45% – per capita cost was only $93 in 2013.
One interesting correlation emerged by comparing the per record costs for each industry industries with the levels of abnormal “churn” – a greater than expected loss of customers in the normal course of business – following a data breach. The financial and healthcare industries were the most susceptible to abnormal churn following a breach. The implication is that “industries with the highest churn rates could significantly reduce the costs of a data breach by putting an emphasis on customer retention and activities to preserve reputation and brand value.”
Data Breach Costs From Criminal Attacks Surpass Those Due to Human or System Errors
In 2014, the most common source of data breach was malicious or criminal attacks. Nearly half (49%) of all data breaches resulted from malicious or criminal attacks. Possibly more troubling is the correlation between malicious/criminal attacks and the per record cost. Independent of industry, the per record cost associated with malicious or criminal attacks was $230 – easily surpassing the average and per capita costs for data breaches caused by either system glitches ($210) or human error ($198).
Factors That Can Reduce Data Breach Costs
The Ponemon study also identified certain factors that can significantly reduce data breach costs. For example:
- Obtaining a cyberinsurance policy reduced data breach costs by $4.40 per record.
- Board involvement in cyber security policy development lowered costs by $5.50 per record;
- CISO leadership lowered costs by $5.60;
- Having business continuity management personnel on the incident response team reduced data breach costs by $7.10.
- Conducting employee training on information security practices reduced costs by $8 per record;
- Extensively using data encryption lowered breach costs by $12 per record; and
- Creating an incident response team available ahead of time dropped the per-record cost by $12.60.
The 2015 Ponemon study again provides valuable insight into the very real financial consequences for a data breach and why it is so critical to not only prepare a response in case of breach but to actively put systems and practices in place to lessen the likelihood of a breach in the first place.
The study examined 62 companies across 16 industries which had reported the loss or theft of protected personal data and then had to notify affected customers or patients. The figures reported in the study are based on actual reported data loss incidents and cost estimates made by the companies affected.