Cost of Data Breach 2017: What’s In It?

Cost-of-Data-Breach-1Data breaches can cost millions. Large companies can take the hit. Smaller companies are not so lucky.

But why is the cost of data breach so high?

For the answer, we turned to the Ponemon Institute Cost of Data Breach Study 2017. It surveyed 419 organizations from across the globe. Each company had a data breach and reported the cost.

In the U.S., the average data breach cost is $7.35 million, or $225 per record lost or stolen. That’s more than $2 million higher than any other country, according to the study.

What are the costs driving this? We dig in below.

Two Types of Data Breach Cost

The study groups data breach costs into two categories: direct and indirect.

Direct cost is the money spent in response to a data breach.

For example, it includes the cost to hire law firms and forensic experts, and the cost to notify victims and provide them identity theft protection services.

Indirect cost is NOT money paid for services in response to a data breach. Instead, it’s other associated costs.

For example, the time and effort spent by staff to handle the breach is an indirect cost. Loss of customers after a breach (aka “abnormal churn”) and the loss of reputation and good will are other indirect costs.

Cost of Data Breach 2Abnormal Churn Cost

Abnormal churn is the loss of more customers than expected after a data breach. The higher the abnormal churn, the greater the cost of data breach.

Even a small increase in churn rate can drive significant losses.

Ponemon estimates organizations with less than 1% abnormal churn lost an average total of $2.6 million after a breach. Organizations with more than 4% abnormal churn lost an average of $5.1 million.

Customer Churn Varies

Abnormal churn was greater in financial, healthcare, and service industries, and lower in organizations focused on education, research, or media, according to the report.

While organizations in the U.S. did not have the highest average churn rate after a breach (3.3%), they did have the highest costs associated with lost business.

These costs include loss of business, increased customer acquisition activities, and losses in reputation and goodwill, according to the report.

Cost of Data Breach 3Detection and Escalation Cost

Detection costs are accrued during the discovery of a breach.

Escalation costs are driven by the actions taken to report a breach to appropriate personnel within a designated time period.

Forensic Investigations

The cost of forensic analysis – which determines the source and breadth of an attack – is included in this category.

A forensic investigator is trained to collect and analyze evidence. The evidence is used to reconstruct events and identify entities that caused the breach. It’s also used to identify victims, and as evidence in criminal procedures.

When equipment is damaged, a forensic investigator can dismantle and rebuild a computer system to recover lost or damaged data.

Other detection and escalation costs:

  1. Assessment and audit services
  2. Creation of a public relations team for community outreach
  3. Organization of a team to manage the crisis
  4. Intra-agency communication to board of directors and executive management
  5. Implementation of a call center

According to the report, organizations in Canada had the highest detection and escalation costs, at $1.46 million per breach on average.

The United States detection and escalation costs were $1.07 million. The lowest were incurred by Brazil, at $.43 million.

Cost of Data Breach 4Notification Cost

Once a breach has been identified and contained, a notification process is set into motion.

In some countries (such as the U.S.) data breach notifications are required by industry regulations such as HIPAA in healthcare and PCI DSS for payment cards.

Notification cost includes:

  1. Review of regulatory requirements
  2. Establishment of a process to notify all necessary parties
  3. Creation of a contact database
  4. Engagement of outside experts to guide the notification process including legal services for defense and compliance
  5. Postage
  6. Staffing of a communications desk to answer questions and concerns of those affected

At $.69 million, the average notification costs per breach in the United States were significantly higher than those of other countries and regions included in the study.

The Middle East had the second highest cost, at $.27 million, and India had the lowest at $.02 million.

Ex Post Response Cost

Ex Post is Latin for “after the fact.”

These costs include:

  1. Help Desk Activities
  2. In-Bound Communications
  3. Special Investigative Activities
  4. Legal Expenditures
  5. Product Discounts
  6. Remediation
  7. Identity Protection Services
  8. Regulatory Interventions

The United States had the highest ex post breach costs at $1.56 million, followed by $1.43 million in the Middle East.

Brazil paid the lowest ex post response cost at $.44 million.

Related Resources

Infosecurity Magazine Lays Out Forensics

Top 3 Causes of Data Breach Are Expensive

Calyptix Top 4 Insights from Verizon Data Breach Report

Calpytix Top Network Security Concerns of Your Clients

Written by Calyptix

 - July 10, 2017

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram