Data Breach Costs Hitting Record Levels

by Darryl K. Taft

The Ponemon survey notes that the average consolidated total cost of a data breach is $3.8 million, representing a 23 percent increase since 2013. “Based on our field research, we identified three major reasons why the cost keeps climbing,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “First, cyber-attacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management.”

The study also found that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased 6 percent from a consolidated average of $145 to $154. The most costly breaches continue to occur in the U.S. and Germany at $217 and $211 per compromised record, respectively. India and Brazil still have the least expensive breaches at $56 and $78, respectively.

Notification costs remain low, but costs associated with lost business steadily increase. Lost business costs are abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished good will. The average cost has increased from $1.23 million in 2013 to $1.57 million in 2015. Notification costs decreased from $190,000 to $170,000 since last year.

Forty-seven percent of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack is $170. In contrast, system glitches cost $142 per record, and human error or negligence costs $137 per record. The U.S. and Germany spend the most to resolve a malicious or criminal attack ($230 and $224 per record, respectively). Only 32 percent of all data breaches occurring in India are due to malicious attacks. In Brazil, the figure is 30 percent. However, India and Brazil have the most data breaches due to system glitches. Breaches due to human error are highest in Canada.

Business continuity management plays an important role in reducing the cost of a data breach. The research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $7.10 per compromised record and lower time required to contain a breach by 41 percent. In addition, for the first time, the survey looked at the positive consequences that can result when boards of directors take a more active role when an organization had a data breach. Board involvement reduces the cost by $5.50 per record. Insurance protection reduces the cost by $4.40 per record.

Health care emerged as the industry with the highest cost per stolen record, with the average cost for organizations reaching as high as $363. While the cost of data breaches stayed relatively constant for most industries, the retail sector experienced a significant increase from $105 in 2014 to $165 in 2015. Media reporting of these events and consumers’ concerns about identity theft caused retail companies to spend more money to address the consequences of data breaches. The lowest costs per lost or stolen record are in transportation ($121) and the public sector ($68).

For the second year, the research studied the likelihood of a company having one or more data breaches in the next 24 months. The probability is based on two factors: how many records were lost or stolen and the company’s industry. According to the findings, Brazilian and French companies are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Canada are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega-breach involving more than 100,000 records.