The anticipated annual release of the Ponemon Institute’s 2014 Cost of Data Breach Study has finally arrived. As yearly readers of the Study know, it provides a snapshot of the different factors that leave an organization susceptible to data breach, the costs associated with a breach in various sectoral industries and details ways to mitigate the negative costs in the aftermath of a data breach. What else did this year’s Study reveal?
Costs Rise Sharply
After a trend that appeared to indicate data breach costs per record on average were dropping, as breach responses became more systemized, this year’s Study surprisingly reports costs associated with data breaches across the country have risen by roughly $13 to $201 per compromised record. This comes after two consecutive years of falling average per compromised record costs. Markedly, one factor in this year’s Study was the increase in costs associated with turnover of customers – from $128 to $134 – that was cited as a primary reason behind the overall increase in cost. Similarly, the total cost of a data breach has risen to $5.85 million on average, up $450,000 year over year from the last Study report. Again, this noted increase in cost can once again be seen as a result of a higher turnover of customers stemming from lapses in cybersecurity.
Most notably there was a marked high cost sectorally in this year’s Study. For example, in healthcare the average per compromised record has now topped $316. Furthermore, the Ponemon Institute explicitly highlights that malicious activity is a key driver in high cost data breaches. Malicious activity promulgated by hackers was responsible for roughly 44% of all data breaches in 2013 analyzed by the Study. Attacks stemming from malicious attacks cost roughly $246 per compromised record compared to a “human error” breach which accounts for $160 per compromised record on average.
The Study further examined what led to an uptick in costs or at times, a dramatic decrease in costs. Lapses in cybersecurity by third parties and stolen mobile devices account for a significant surge in costs per compromised records, whereas a written Incident Response Plan (which SmartEdge highly recommends and discussed recently in our April 17 Data Breach Aftermath webinar) can dramatically lower the average cost of a data breach. Not surprisingly, the Study also found that a substantial and sound stance on cybersecurity within a company can greatly mitigate the costs associated with a data breach.
Bigger Breaches Result in Bigger Costs
Another not surprising Study finding is that the more records lost or stolen, the larger the monetary cost was for the data breach. During 2013, the total burden of a data breach among those reviewed ranged from a low of $688,250 to a high of $23.1 million. The Study also noted, as mentioned earlier, that a higher than normal turnover of customers often led directly to a larger total cost data breach with various industries, like Financial Services and Technology, facing higher than “normal” turnover of customers following a breach.
A multitude of different cost factors within data breach responses were analyzed by the Institute with average detection and escalation costs increasing approximately $20,000 from the year before to $420,000. However, notification costs fell from $570,000 to $510,000 on a year over year basis. Conversely, post data breach costs, which include legal outlays, identity protection, and remediation services, increased markedly from $1.41 million to $1.60 million on average. In the same vein, costs associated with lost business also grew to $3.32 million from $3.03 million in the previous year.
The Study also came to an intriguing conclusion that firms are still spending more on direct costs, such as hiring forensic efforts or enlisting the support of identity protection companies to assist affected customers. Indirect costs, such as expenditures on maintaining brand value or more thorough investigations into the data breach incident after the dust settles, receive much less attention and funds.
Additionally, the Study summarily noted that companies have a 19% chance of having a small data breach over 24 months (with small being defined as at least 10,000 customer records), and a 1% risk of having a breach of at least 100,000 records compromised. Of course, “your mileage may vary.” The Study all too briefly touches on the fact that public sector and retail entities have the highest general risk for a data breach, while energy and industrial sectors currently enjoy the lowest risk.
The Ponemon Institute also details different steps to reduce the likelihood of and minimize the ramifications from a data breach. Some measures the Study recommends include adopting a sound stance on cybersecurity, cohesive incident response procedures, and the presence of a Chief Information Security Officer (CISO). Moreover, the Study suggests companies should consider adopting or utilizing more methods of encryption, training programs, additional infosec controls for networks, and security audits.
To discuss or address your firm’s cybersecurity concerns after reading this comprehensive Study feel free to contact us at info@SmartEdgeLawGroup.com or 203 307-2665.