Ponemon: Data Breach Cost Increases to $154 per Record

The Ponemon Institute has released a new IBM-sponsored report on the financial implications for organizations suffering data breaches. The Cost of Data Breach Study: Global Analysis study involved 350 companies from 12 countries: Australia, Brazil, Canada, France, Germany, India, Italy, Japan, Saudi Arabia, United Arab Emirates, United Kingdom and the United States, although Saudi Arabia and the United Arab Emirates were grouped together under “Arabian Region.”

One of the main findings is a 23% increase in the average cost of a data breach since 2013. The Average cost is now $3.8 million per data breach with an average cost per record of $154.

Stark Contrast with Verizon Data Breach Cost Estimates

Estimating the cost of a data breach is a highly complicated business. Last month Verizon released a study that included a data breach calculation which estimated the cost per record to be 58 cents, although Verizon researchers were quick to admit that their methodology had flaws.

Since the cost was estimated to be lower than that of printing and mailing a breach notification letter, their methodology clearly requires some fine tuning. The Ponemon report is the product of over 10 years of research in the field and appears to provide much more realistic figures.

Data Breach Costs Vary by Country

As one would expect, the report showed that the cost of a data breach is dependent on where the organization is based. Different countries have different regulations and penalty structures, resulting in vastly different data breach costs. The researchers discovered that the cost of a data breach in the United States was the highest with an average of $217 per record, with Germany closely following in second place at £211 per record.

The average total organizational cost was highest in the US at $6.5 million and lowest in India at $1.5 million. India also had the lowest cost per record ($56).

Cost of a Data Breach Varies According to Industry

Healthcare data breaches are the most expensive according to the study. The average cost was as high as $363 per record compared to the overall average – across all industries – of $154, up six percent. Data breaches affecting the education industry were also expensive with the average as high as $300 per record. The data shows that the breach cost for the retail industry has risen dramatically, rising from $105 per record last year to $165 in 2015. The lowest costs were in the public sector, with an average of $68 per record.

The Cause of a Data Breach Plays a Big Part in the Cost

Average costs for different data breach causes were found to be:

  • Malicious/Criminal attacks: $170
  • System errors: $140
  • Human error/negligence: $134

In the United States, organizations paid an average of $230 per record to resolve a data breach caused by hackers or malicious insiders.

How to Reduce Data Breach Costs

One interesting finding from the report is the impact that board involvement has on the cost of a data breach. When the board becomes involved in the breach response process it was found to have positive consequences, reducing the cost of a data breach by $5.5 per record. Insurance cover also reduces the cost, but not by as much as many may think. According to the report, an insurance policy against data breaches only reduced the cost by $4.4 per record.

If encryption services are in use the cost decreases by $12 per record, $12.60 can be saved with an incident response team and providing training cuts the cost by $8. Business continuity management can shave off a further $7.10.

Other Factors Affecting Data Breach Costs

The study showed that Business Associate – or third party – involvement in a data breach significantly increased the cost, adding $16 per record. If external experts are required to conduct a forensic analysis for example, that will add a further $4.50 per record, while rushing notification letters means an additional $8.90 per record.

Where are Data Breaches Most Likely to Occur?

Canada and Germany were the countries where data breaches were least likely to occur, while the biggest risk of a 10,000+ data breach was in Brazil and France. In Brazil and India, system glitches are most likely to expose data, while human error causes more breaches in Canada than any other country in the study.

The researchers also calculated the likelihood of an organization suffering a breach; a factor of the number of records stolen and the industry. Researchers determined that across all industries, the probability of a data breach occurring in the next two years – involving between 10,000 and 100,000 records – was 22%, and of it involving over 100,000 records the chance was less than 1%.

Why is the Cost of Data Breaches Rising?

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said his research team had identified three main reasons for the continued rise in the cost of data breaches. He said “Cyberattacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost.”

The third main reason provided was “more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management.”

The full data breach cost report can be downloaded from IBM.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.