Data breaches are not only becoming more prevalent among companies located in the U.S., recovering from them is also becoming more expensive.
According to the 11th annual benchmark study conducted by the Ponemon Institute, the average total cost to resolve a data breach increased by 7 percent since the previous study conducted in 2013, to a staggering $7.01 million. The average cost for each lost or stolen record containing sensitive information increased by 2 percent, from $217 to $221 per record.
The 2016 study, released in June, examined costs incurred by 64 U.S. companies in 16 industry sectors. Data breaches involving more than 100,000 compromised records were not included in the results as the institute found that the types of breaches incurred by most organizations averaged 29,611 compromised records.
The report provides information regarding trends gleaned from research as well as findings on factors that generate higher costs and those factors that reduce the costs of data breaches. Over the years, results from the Ponemon studies have revealed these trends:
- The cost of a data breach has not fluctuated significantly, suggesting that the cost should be incorporated by businesses in data protection strategies.
- The biggest financial consequence of a data breach is lost business which, not surprisingly, is greater in certain industries such as the financial, health, technology, life sciences and service industries. Organizations need to include in any plan steps to keep or retain customer trust.
- Most data breaches continue to be caused by criminal and malicious attacks which take the most time to detect and contain, and therefore have the highest cost per record.
- The costs of data breaches are higher for entities in regulated industries, such as healthcare and financial services, because of fines and higher than average loss of business.
- Improvements in data governance programs often result in cost savings. These may include having incident response plans in place, appointing a CISO, implementing employee training and awareness programs, and having a business continuity management strategy in place.
- Investment in data loss prevention controls, encryption programs, endpoint security solutions and threat sharing reduced costs.
The three factors were found to increase data breach costs the most:
- Third party errors
- Extensive migration to the cloud
- Rush to notify
Third party involvement resulted in the highest increase with a $20.30 increase in cost per record lost or stolen, with cloud migration coming in second with an increase of $15.40.
The lesson to learn is to carefully choose third party vendors and make sure that all vendor agreements require the vendor to maintain standards to mitigate risk, and requires the vendor to take responsibility in the event of a breach (or at the least provides for an equitable sharing of the risk and costs if a breach occurs). Many vendor agreements include provisions limiting the vendor’s liability, which if not modified to except out a data breach can leave the customer with all of the costs of the breach. Requiring vendors to carry appropriate insurance and, in certain circumstances, name the customer as an additional insured may help mitigate the risk.
The risks and costs of data breaches are not likely to lessen, so planning and taking steps to mitigate and deal with a data breach will need to be part of the strategy of most, if not all, businesses.