Most organizations have no idea how data breaches can cost so much, but when you add up the work-flow systems a breach affects, the picture becomes clear.
This year, the total average cost of a breach is $7.01 million. Companies operating in highly-regulated industries such as healthcare, life science and financial services tend to have a per capita per record data breach cost substantially above the overall mean of $221.1 In contrast, companies in the public sector (government), hospitality and research industries had a per capita cost below the mean.
Most data breaches continue to be caused by criminal and malicious attacks. These breaches also take the most time to detect and contain the threat and have the highest cost per record.
Ten main costs of a data breach are listed below.
The mean number of days to resolve cyberattacks is 46 at an average cost of $21,155 per day – or a total cost of $973,130. Resolution does not necessarily mean that the attack has been completely stopped, as some attacks remain dormant and undetected.2
Loss of Customers
Of 2,000 adults interviewed in the U.S. this past April by independent technology market research specialist Vanson Bourne, 76 percent said they would move away from companies with a high record of data breaches.
On an annualized basis, business disruption accounts for 39 percent of total external costs, which include costs associated with business process failures and lost employee productivity.3 If a business gets disrupted during its busy season, the cost could affect more than half the business's annual income.
There could be fines from the Federal Communications Commission (FCC), Federal Trade Commission (FTC), Health and Human Services (HHS) the Payment Card Industry Data Security Standard (PCI DSS) and other regulatory agencies.
Three lawsuits were filed against Anthem less than 24 hours after it disclosed a breach. Target Corporation, Home Depot and Sprouts are but a few of the numerous organizations that have had class-action lawsuits filed against them in relation to a data breach. Some companies have had to pay upwards of $10 million to settle and those costs don't include charges paid to their legal teams.
A breach entails harm to an organization's brand and reputation, contact with the media, increased customer acquisition activities and diminished goodwill. Normally a PR call center will need to be established to keep the media, victims, stakeholders and employees informed of the aftermath.
Breached Client Records
The average cost for each lost or stolen record containing sensitive and confidential information increased from $217 from the 2015 study to $221 this year.4 The 2016 Cost of a Data Breach U.S. study examines the costs incurred by 64 U.S. companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data and then had to notify breach victims as required by various laws. The study does not include cases involving more than 100,000 compromised records to avoid skewing the results.
Direct Financial Loss
Once attackers breach your network, they may be able to obtain access to your financial accounts to wire money to accounts they control.
Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private and public sector entities to notify individuals of security breaches of information involving personally identifiable information. Regulations such as PCI and HIPAA, also require disclosure to consumers whose data has been breached. There's the cost of postal expenditures, secondary mail contacts or email bounce-backs and inbound communication set-up. This year's average notification costs increased slightly from $0.56 million in 2015 to $0.59 million so far in 2016.5 Notification to individuals must be by first class mail unless the individual has agreed to electronic notice.
Credit Card Reissues, Identity Theft Repair and Credit Monitoring
A report from the U.S. Consumer Bankers Association (CBA) indicates that re-issuing cards affected by the Target data breach cost over $172 million. Identity theft repair and credit monitoring cost about $10 per victim.
Certain factors reduced the cost of data breach. Having an incident response plan and team in place, extensive use of encryption, employee training, Business Continuity Management (BCM) involvement and extensive use of data loss prevention technologies are viewed as reducing the cost of data breach.6
1 Ponemon's 2016 Cost of Data Breach Study: United States
2 Ponemon's 2015 Global Cost of Cybercrime Study
3 Ponemon's 2015 Cost of Cyber Crime Study: Global
4 Ponemon's 2016 Cost of Data Breach Study: United States
5 Ponemon's 2016 Cost of Data Breach Study: United States
6 Ponemon's 2015 Cost of Data Breach Study: Global Analysis