The cost of data breaches continues to rise globally. Businesses in the U.S. are spending the most addressing the problem — an average of $5.85 million over the last two years, according to the Ponemon Institute's 2014 Cost of Data Breach Study. The annual study involving 314 companies in ten countries put the average cost of a data breach at $3.5 million, a 15% increase over 2012.
Here are some of the survey’s takeaways.
Understanding the Cost of Data Breaches
Over the last two years, organizations in the U.S., the Arabian region and India had the largest average number of records lost or stolen. The most expensive data breaches — both in terms of average cost per record and total expenses — occurred in the U.S. ($201 per record/$5.85 million total) and Germany ($195 per record/$4.74 million total). In contrast, Brazil ($70 per record/$1.61 million total) and India ($51 per record/$1.37 million total) spent the least amount on data breach issues.
The study also reveals that the more heavily regulated the industry — such as healthcare, education, pharmaceutical and financial services — the higher the per capita cost for each data breach. By contrast, public-sector organizations and retail businesses maintain significantly lower per capita costs.
Root Causes of a Data Breach
The top three root causes of a data breach are —
Malicious or criminal attacks - these account for 42% of global data breaches and are the most expensive, averaging $159 per breach;
The human factor - a negligent employee or contractor accounts for 30% of global data breaches, although these breaches are the least expensive for businesses at $117 per breach; and
System glitches such as IT or business process failures - these account for 29% of data breaches, averaging $126 per breach.
Research shows that costs vary widely across countries. For example, in the U.S., data breaches from malicious or criminal attacks cost businesses approximately $246 per record, compared to $60 per record in India.
The causes of data breaches also differ among countries. Germany and Arab countries are the most likely to experience a malicious or criminal attack, followed by France and Japan. Indian companies are most likely to incur a data breach caused by a system glitch or business process failure. UK companies are more likely to have a breach caused by human error.
Factors that Influence the Cost of a Data Breach
The study reports that the more records lost, the higher the cost of the data breach. However, a strong data security strategy provides the greatest decrease in data breach costs. For the first time, the study reports, involving business continuity management in the remediation of a breach can reduce the cost by an average of $8.98 per compromised record. Cyber insurance is also helpful in managing the risk of a data breach and strengthening a company's security posture.
Factors that increase costs include lost or stolen devices, third parties, rapid notification procedures and outside consultants. The survey also details spending on a variety of other costs, including —
Notification costs - U.S. companies have significantly higher notification costs, while India and Brazil have the lowest costs.
Detection and escalation costs - Germany spends the most for detection and escalation, while India and Arab countries spend the least.
Post-data breach costs - U.S. and German companies have the highest post-data breach costs, while Brazil and India have the lowest.
Trends in compromised records and customer turnover
French and Italian organizations lose the most customers due to data breaches, while Indian and Arab companies have the lowest rate of customer turnover.
Certain industries are generally more susceptible to losing customers after a data breach — including pharmaceutical, financial services and healthcare organizations — while public-sector organizations and retail companies tend to experience relatively low customer turnover.
A data breach can result in more than financial repercussions. Damage to customer loyalty and brand reputation can also be significant. Astrong data security program is the best defense against potential class-action lawsuits.