Ponemon Institute Publishes 2016 Cost of Data Breach Study

For the past 11 years, the Ponemon Institute has conducted an annual benchmark study on the cost of data breaches. This week, the Ponemon Institute published the results of its 2016 Cost of Data Breach Study, which shows the cost of breach resolution continues to rise.

The IBM-sponsored study indicates the average total cost of the breach response and resolution has increased to $7.01 million from $6.53 million last year: A rise of 7% year on year. Ponemon puts the average cost per compromised record at $221: A rise of 2% from last year’s figures or $4 per record.

The 2016 cost of data breach study was conducted on organizations around the world, including companies based in Australia, Brazil, Canada, France, Germany, India, Italy, Japan, Saudi Arabia, the United Arab Emirates, and the United Kingdom. The global average data breach cost increased from $154 per record to $158 per record, with the total cost increasing from $3.8 million to $4 million per data breach. 383 companies took part in the global study.

64 U.S. companies took part in this year’s benchmark study and 16 industry sectors were represented. 11% of organizations taking part in the 2016 Cost of Data Breach Study were from the healthcare industry.

Each company had experienced a breach of sensitive information and was required to issue notifications to affected individuals under federal and state laws. Ponemon gathered data for the study over a period of 10 months and interviewed a number of individuals in each company in order to obtain cost estimates of responding to a specific data breach.

In order not to skew the results, Ponemon only includes data breaches that have exposed fewer than 100,000 records, although this year the breach incidents exposed between 5,125 and 101,520 records. The average records exposed or stolen per incident was 29,611.

The definition of a data breach used by the Ponemon Institute was a breach of data that involved individuals’ names in addition to either Social Security numbers, financial records, debit/credit card numbers, or medical records. Breaches of paper and electronic records were included in this year’s study.

Key Findings of the 2016 Cost of Data Breach Study

The average total cost of a data breach increased by 7% over the course of the past year, and the cost per compromised record increased by 2%.  This can, in part, be explained by an increase in the size of data breaches and an increase in “abnormal churn,” which is a greater than expected loss of customers following a breach of sensitive information. The average size of a data breach increased by 5% this year, and abnormal churn increased by 3%. Abnormal churn rate was highest in healthcare, technology, finance, life science, and the service industries.

Heavily regulated industries have a higher per capita data breach resolution cost than other industries, with the healthcare industry facing the highest costs. The cost of a healthcare data breach was calculated to be $402 per record; considerably more than the life science industry which was in second place with costs of $301 per record. The financial services industry was in third place with an average cost of $264 per compromised record.

Public sector breaches cost the least to resolve out of the 16 industries covered by the study, requiring a spend of $86 per record. The average cost of $221 per record – across all industry sectors – is a new record high. That cost is broken down as $76 for direct costs such as the purchasing of additional technology and legal fees, and $145 for indirect costs such as loss of business.

The 2016 cost of data breach study shows the primary cause of data breaches was attacks by malicious attacks, which accounted for 50% of all data breaches. 23% of reported data breaches were the result of employee negligence, while 27% were caused by system glitches and business process failures. Malicious attacks proved to be the costliest to resolve.

Ponemon discovered that the cost of detection and escalation had increased significantly and was now at a record high. The average cost last year for detection and escalation was 0.61 million. This year the cost was 0.73 million. Detection and escalation costs include forensic analysis, audit services, assessments, crisis team management, and communicating to executive management and the board of directors. Notification costs increases slightly from $0.56 million last year to $0.59 million in 2016.

Ponemon determined the average time taken to identify a data breach was 191 days and the average time to contain a breach was 58 days. Fast detection of a data breach can help to reduce the cost of resolution. The cost of identifying a data breach was $5.83 million when the mean time to identify a data breach was less than 100 days, and $8.01 million when the mean time to identify a data breach was greater than 100 days.

Having a breach response plan in place can help to reduce costs of breach resolution. The mean time to contain a data breach was $5.24 when containment was achieved within 30 days, and $8.85 million when containment took longer than 30 days.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.