The current headline in data security is a just-released report from the New York Attorney General's Office (the "AG Report") announcing that the number of reported data breaches more than tripled between 2006 and 2013, exposing 22.8 million personal records of New Yorkers.[1] The AG Report reveals that last year's record-breaking exposure of 7.3 million New Yorkers' personal information – with an estimated cost to business of $1.37 billion – was largely due to two sophisticated hacking attacks at Target and Living Social.[2] Troublingly, these "mega-breaches" are a growing trend, with five of the ten largest breaches reported to the New York AG occurring in the past three years.[3]

According to the AG Report, hackers were the primary culprits of data breaches, accounting for over 40% of New York's 4,926 breaches and over 63% of total records exposed.[4] Other leading causes were lost or stolen equipment or documentation (24%), employee error (20%), and insider wrongdoing (10%).[5] The AG Report shows that recurring breaches afflict not only retailers but also companies in financial services, health care, banking and insurance.[6]

While the AG Report highlights the increasing costs of data breaches, it may understate the total price tag. The AG Report estimates a $1.37 billion cost by multiplying the number of records exposed in 2013 (7.3 million) by $188,[7] the average cost of one personal record compromised in the U.S., according to a 2013 global study from Symantec and the Ponemon Institute.[8] But not all breaches are alike – the cause of the breach can have a critical impact on its cost. According to the Symantec-Ponemon study, data breaches caused by hacking attacks in the U.S. imposed a higher than average per-record cost of $277.[9] Records compromised by system glitches and employee mistakes had a relatively low per-record cost, at $174 and $159 respectively.[10] Given that a large portion of New York's reported breaches were caused by hackers and many breaches were not required to be reported under New York law, the cost to business was likely even greater.[11] Moreover, this year's Ponemon Institute study (now sponsored by IBM) on U.S. data breaches points to a trend of rising costs: compared to 2013, the average per-record cost increased from $188 to $201, and the average total cost of a breach rose from $5.4 million to $5.9 million.[12]

Companies can, however, significantly reduce the impact of a breach with enhanced security awareness and planning. Organizations with an incident response plan in place prior to the data breach reduced the average per-record cost by $17.[13] Having a Chief Information Security Officer saved an average of $10 per record.[14] The prime factor was adopting a "strong security posture," which reduced the average per-record cost by $21.[15] A strong security posture includes knowing where sensitive or confidential information is located, securing endpoints to the network, identifying system users before granting access rights to sensitive information, conducting training and awareness programs for system users, conducting independent system audits, timely installing security patches, and complying with privacy laws.[16] Although important to act quickly once a breach is discovered, where the law permits a preliminary investigation, the optimal response may not be immediate disclosure: entities that notified customers before undertaking a thorough assessment or forensic examination incurred an average cost of $15 more per record.[17]

Data breaches impose serious long-term costs to business. In the wake of Target's breach, the retailer reported a 46% decrease in net earnings and suffered a significant drop in stock price.[18] After 77 million PlayStation Network accounts were hacked in 2011, Sony Entertainment lost an estimated $1 billion and saw its stock fall 6%.[19] A recent study from McAfee and the Center for Strategic and International Studies calculated the annual global cost of cybercrime to be more than $400 billion.[20] With the emergence of the "internet of things," it is good business for companies to take cyber-security more seriously.

Alexander Reid