Ponemon Institute Study on Costs of Data Breaches Highlights Improvement and New Risks for U.S. and Global Companies

Ballard Spahr LLP
Contact

Ballard Spahr LLP

The average cost of a data breach, on both an aggregate and a per-record basis, has decreased slightly according to the Ponemon Institute's 2017 Cost of Data Breach Study: Global Overview. In addition to presenting recent trends, the Ponemon report identifies factors that make it more likely an organization will suffer a data breach in the next 24 months.

The recently released report, dated June 2017, analyzed data breach incidents occurring mainly in 2016. The global study included 419 companies in 13 country or regional samples. All participating organizations experienced a data breach ranging from approximately 2,600 to roughly 100,000 compromised data records. The findings for U.S. and multinational companies are somewhat mixed.

On a positive note, researchers found that the overall cost to companies and institutions suffering a data breach is down 10 percent to an average of $3.62 million per breach. Similarly, the average cost per lost or stolen record is down 11.4 percent to $141.

On a more sobering note, Ponemon found that there is a 27.7 percent likelihood of a recurring material breach over the next two years for the companies in the study, an increase of 2.1 percent from the prior year. The study defined a material data breach as one that involves a minimum of 1,000 lost or stolen records containing personal information about consumers or customers.

The study outlined a number of factors driving the cost of a data breach. Heavily regulated industries, including health care and financial services, suffer more costly data breaches, with an individual compromised record cost substantially higher than the overall mean of $141. Additionally, these two industries experienced among the most significant increases in cost per compromised record compared to the four-year average, with health care up $11 per record and financial services up $23 per record.

The study identifies the following factors affecting the overall cost of a data breach:

  • The more records lost, the higher the cost.

  • The faster a company can identify and respond to a data breach, the lower the cost.

  • Use of incident response teams and extensive encryption reduces overall costs.

  • Involvement of third parties and cloud vendors at the time of a data breach increases overall costs.

  • Hackers and criminal insiders cause the most data breaches, with nearly half of the year's breaches due to malicious or criminal attacks.

  • Attacks performed by malicious insiders or criminals are costlier than system glitches or employee errors.

In an important new finding, the study also showed that the appointment of a chief privacy officer reduced the cost by $3 per compromised record, and the deployment of security analytics saved $7 per compromised record. By contrast, extensive use of mobile platforms and compliance failures increased costs by $9 and $11 per compromised record, respectively.

In the United States, 52 percent of breaches were due to hackers and criminal insiders, the second highest in the study, behind the Middle East. The study also found that U.S. organizations spend the most on data breach response and had the highest indirect costs per compromised record, at $146. Indirect costs include employee time and effort and other organizational resources spent notifying victims and investigating the incident, as well as the loss of goodwill and the unplanned loss of customers.

The Ponemon study includes key findings that companies can use to develop or augment their information security and overall data protection programs. Overall, it demonstrates that data security is a moving target, with a constantly evolving threat landscape. While companies are increasingly taking steps to reduce data breach costs, changes in technology and increased data usage are driving up the potential costs.

In addition to Ponemon, other entities have published studies analyzing the cost of data breaches, including RAND Corporation and NetDiligence. When using this information, such as for cybersecurity insurance coverage purposes, an entity should first understand and develop its unique cybersecurity risk profile. For example, as noted above, the financial risk of a data breach tends to be higher for health care and financial entities. The Ponemon study also assigns a cost for loss of customers after a breach, which may or may not be relevant to a particular entity. Therefore, it is important to place the information into the proper context as it relates to an entity's particular industry and circumstances.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Ballard Spahr LLP

Written by:

Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide