The average cost of a data breach, on both an aggregate and a per-record basis, has decreased slightly according to the Ponemon Institute's 2017 Cost of Data Breach Study: Global Overview. In addition to presenting recent trends, the Ponemon report identifies factors that make it more likely an organization will suffer a data breach in the next 24 months.

The recently released report, dated June 2017, analyzed data breach incidents occurring mainly in 2016. The global study included 419 companies in 13 country or regional samples. All participating organizations experienced a data breach ranging from approximately 2,600 to roughly 100,000 compromised data records. The findings for U.S. and multinational companies are somewhat mixed.

On a positive note, researchers found that the overall cost to companies and institutions suffering a data breach is down 10 percent to an average of $3.62 million per breach. Similarly, the average cost per lost or stolen record is down 11.4 percent to $141.

On a more sobering note, Ponemon found that there is a 27.7 percent likelihood of a recurring material breach over the next two years for the companies in the study, an increase of 2.1 percent from the prior year. The study defined a material data breach as one that involves a minimum of 1,000 lost or stolen records containing personal information about consumers or customers.

The study outlined a number of factors driving the cost of a data breach. Heavily regulated industries, including health care and financial services, suffer more costly data breaches, with an individual compromised record cost substantially higher than the overall mean of $141. Additionally, these two industries experienced among the most significant increases in cost per compromised record compared to the four-year average, with health care up $11 per record and financial services up $23 per record.

The study identifies the following factors affecting the overall cost of a data breach:

  • The more records lost, the higher the cost.

  • The faster a company can identify and respond to a data breach, the lower the cost.

  • Use of incident response teams and extensive encryption reduces overall costs.

  • Involvement of third parties and cloud vendors at the time of a data breach increases overall costs.

  • Hackers and criminal insiders cause the most data breaches, with nearly half of the year's breaches due to malicious or criminal attacks.

  • Attacks performed by malicious insiders or criminals are costlier than system glitches or employee errors.

In an important new finding, the study also showed that the appointment of a chief privacy officer reduced the cost by $3 per compromised record, and the deployment of security analytics saved $7 per compromised record. By contrast, extensive use of mobile platforms and compliance failures increased costs by $9 and $11 per compromised record, respectively.

In the United States, 52 percent of breaches were due to hackers and criminal insiders, the second highest in the study, behind the Middle East. The study also found that U.S. organizations spend the most on data breach response and had the highest indirect costs per compromised record, at $146. Indirect costs include employee time and effort and other organizational resources spent notifying victims and investigating the incident, as well as the loss of goodwill and the unplanned loss of customers.

The Ponemon study includes key findings that companies can use to develop or augment their information security and overall data protection programs. Overall, it demonstrates that data security is a moving target, with a constantly evolving threat landscape. While companies are increasingly taking steps to reduce data breach costs, changes in technology and increased data usage are driving up the potential costs.

In addition to Ponemon, other entities have published studies analyzing the cost of data breaches, including RAND Corporation and NetDiligence. When using this information, such as for cybersecurity insurance coverage purposes, an entity should first understand and develop its unique cybersecurity risk profile. For example, as noted above, the financial risk of a data breach tends to be higher for health care and financial entities. The Ponemon study also assigns a cost for loss of customers after a breach, which may or may not be relevant to a particular entity. Therefore, it is important to place the information into the proper context as it relates to an entity's particular industry and circumstances.

Members of Ballard Spahr's Privacy and Data Security Group have assisted clients in understanding their unique cybersecurity risk profiles and have provided guidance on mitigating risk through cybersecurity insurance coverage and other affirmative pre-breach efforts such as third-party vendor management policies and incident response plans. Our attorneys provide a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our cross-disciplinary team helps clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices