Data breaches can cost millions. Large companies can take the hit. Smaller companies are not so lucky.
But why is the cost of data breach so high?
For the answer, we turned to the Ponemon Institute Cost of Data Breach Study 2017. It surveyed 419 organizations from across the globe. Each company had a data breach and reported the cost.
In the U.S., the average data breach cost is $7.35 million, or $225 per record lost or stolen. That’s more than $2 million higher than any other country, according to the study.
What are the costs driving this? We dig in below.
Two Types of Data Breach Cost
The study groups data breach costs into two categories: direct and indirect.
Direct cost is the money spent in response to a data breach.
For example, it includes the cost to hire law firms and forensic experts, and the cost to notify victims and provide them identity theft protection services.
Indirect cost is NOT money paid for services in response to a data breach. Instead, it’s other associated costs.
For example, the time and effort spent by staff to handle the breach is an indirect cost. Loss of customers after a breach (aka “abnormal churn”) and the loss of reputation and good will are other indirect costs.
Abnormal Churn Cost
Abnormal churn is the loss of more customers than expected after a data breach. The higher the abnormal churn, the greater the cost of data breach.
Even a small increase in churn rate can drive significant losses.
Ponemon estimates organizations with less than 1% abnormal churn lost an average total of $2.6 million after a breach. Organizations with more than 4% abnormal churn lost an average of $5.1 million.
Customer Churn Varies
Abnormal churn was greater in financial, healthcare, and service industries, and lower in organizations focused on education, research, or media, according to the report.
While organizations in the U.S. did not have the highest average churn rate after a breach (3.3%), they did have the highest costs associated with lost business.
These costs include loss of business, increased customer acquisition activities, and losses in reputation and goodwill, according to the report.
Detection and Escalation Cost
Detection costs are accrued during the discovery of a breach.
Escalation costs are driven by the actions taken to report a breach to appropriate personnel within a designated time period.
The cost of forensic analysis – which determines the source and breadth of an attack – is included in this category.
A forensic investigator is trained to collect and analyze evidence. The evidence is used to reconstruct events and identify entities that caused the breach. It’s also used to identify victims, and as evidence in criminal procedures.
When equipment is damaged, a forensic investigator can dismantle and rebuild a computer system to recover lost or damaged data.
Other detection and escalation costs:
- Assessment and audit services
- Creation of a public relations team for community outreach
- Organization of a team to manage the crisis
- Intra-agency communication to board of directors and executive management
- Implementation of a call center
According to the report, organizations in Canada had the highest detection and escalation costs, at $1.46 million per breach on average.
The United States detection and escalation costs were $1.07 million. The lowest were incurred by Brazil, at $.43 million.
Once a breach has been identified and contained, a notification process is set into motion.
In some countries (such as the U.S.) data breach notifications are required by industry regulations such as HIPAA in healthcare and PCI DSS for payment cards.
Notification cost includes:
- Review of regulatory requirements
- Establishment of a process to notify all necessary parties
- Creation of a contact database
- Engagement of outside experts to guide the notification process including legal services for defense and compliance
- Staffing of a communications desk to answer questions and concerns of those affected
At $.69 million, the average notification costs per breach in the United States were significantly higher than those of other countries and regions included in the study.
The Middle East had the second highest cost, at $.27 million, and India had the lowest at $.02 million.
Ex Post Response Cost
Ex Post is Latin for “after the fact.”
These costs include:
- Help Desk Activities
- In-Bound Communications
- Special Investigative Activities
- Legal Expenditures
- Product Discounts
- Identity Protection Services
- Regulatory Interventions
The United States had the highest ex post breach costs at $1.56 million, followed by $1.43 million in the Middle East.
Brazil paid the lowest ex post response cost at $.44 million.