Each year, the Ponemon Institute conducts an annual benchmark study on the cost of a data breach. The IBM-sponsored report reveals just how damaging data breaches can be to a company’s finances. Responding to a data breach costs companies millions of dollars, and each year the cost rises.
Last year, the Cost of a Data Breach study placed the average cost at 3.79 million. This year, the average cost has risen to $4 million. The average cost per stolen record rose from $154 to $158 over the past 12 months.
Average Cost of a Data Breach in the United States is $7.01 Million
However, those figures are taken from the global data collected for the study. The costs incurred by U.S businesses are much higher. Take the figures for the United States alone, and the average cost is $7.01 million. Last year the average cost of a breach response in the United States was $6.53 million.
Organizations in the United States can expect to pay costs of $221 per record, although organizations in the healthcare industry, financial, and life science sector can expect to pay far higher amounts. The cost of a data breach in the healthcare industry is a staggering $402 per record. The data also show that the average number of records exposed per incident also increased.
In the United States, the total cost of a data breach rose by 7% over the space of a year, and by 2% per stolen or compromised record. The Ponemon Institute offers some suggestions why the overall cost of a data breach has increased by such a high degree. One of the main reasons is a substantial rise in indirect costs. When an organization suffers a security breach that exposes sensitive data such as credit card numbers, financial information, Social Security numbers, or medical records, consumers are increasingly taking their business elsewhere. The Ponemon Institute refers to this as the abnormal churn rate.
Organizations Should Try to Reduce Churn Rate After a Data Breach
One of the findings of the research is the higher the churn rate is following a data breach, the higher the cost of the breach will be. Companies that experienced an abnormal churn rate of lower than 1%, had to pay average breach costs of $5.4 million. The cost rose to $6.0 million with an abnormal churn rate of between 1% and 2%, while a churn rate of above 4% resulted in average costs of $12.1 million.
The industries most likely to see customers leave and find alternative companies to do business with were healthcare organizations, financial companies, service organizations, and companies operating in the technology and life sciences industries. Public sector companies, research organizations, and the media experienced the lowest churn rates.
Ponemon suggests that one of the best ways to reduce the financial impact of a data breach is to put greater effort into retaining customers and adopting strategies to preserve brand value and reputation. Consumers now understand that data breaches are a fact of life, but they expect action to be taken by organizations that have suffered a breach that exposed their personal information. Issuing breach notifications quickly, offering credit monitoring services to affected individuals, and taking steps to greatly improve security can all help to reduce fallout after a data breach occurs.
Malicious Attacks Cost the Most to Resolve
All data breaches will result in organizations incurring costs, but the cause of a data breach will dictate how high those costs will be. Malicious attacks on organizations were discovered to cost the most to resolve. In the United States, the average cost per record for a malicious or criminal attack was $236. For system glitches the cost was £213 per record, and for human error the cost was $197 per record.
The costs incurred can be reduced significantly if organizations take steps to prepare for data breaches. The Ponemon Institute determined that having an effective breach response plan can greatly reduce the cost of a data breach. When an organization can respond quickly to a breach the costs tend to be much lower.
The average time to contain a data breach was determined to be 58 days. Organizations that were able to contain a data breach in less than 30 days paid an average cost of $5.24 million per breach, compared to $8.85 million when the time to contain the breach exceeded 30 days.
It also pays to invest in technologies that allow organizations to identify breaches quickly when they do occur. The mean time to identify a breach was determined to be 191 days – more than 6 months. When the mean time to identify a breach was less than 100 days, the breach cost was $5.83 million. When the mean time to identify a data breach exceeded 100 days, the mean cost rose to $8.01 million.
The costs of breach resolution are continuing to rise. Organizations should therefore consider investing more heavily in technologies to prevent data breaches and to increase the speed at which they are detected. The results of the study clearly demonstrate that having a tested breach response plan in place is essential if costs are to be reduced.