The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.
The global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million, according to the 2018 Cost of a Data Breach study. The average cost for each lost or stolen record containing sensitive and confidential information, globally and across all industries, also increased by 4.8 percent year over year to $148. And, the 2018 cost of a data breach compares to $3.50 million in 2014, representing nearly a 10 percent net increase over the past five years of the study.
For the eighth year in a row, healthcare organizations had the highest costs associated with data breaches – costing them $408 per lost or stolen record – nearly three times higher than the cross-industry average ($148). The next highest industry was financial services with an average of $206 per lost or stolen record. You can read about last year's study here.
The 2018 Cost of a Data Breach Study, sponsored by IBM Security and conducted by the Ponemon Institute, is based on a survey of more than 2,200 IT, data, protection and compliance professionals from 477 companies in 15 countries. For the first time, this year the study also calculated the costs associated with "mega breaches" ranging from 1 million to 50 million records lost, projecting that these breaches cost companies between $40 million and $350 million respectively.
"While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified," Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS, said in a statement. "The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake."
The study looks at abnormal churn rates among industries, or the greater than expected loss of customers following a data breach incident. The healthcare industry had the highest abnormal churn rate among 17 industries, at 6.7 percent, compared to the average of 3.4 percent. The report notes that customers have high expectations for the protection of their data in highly regulated industries, such as healthcare and financial services. When these organizations have a data breach, customers’ trust will decline and they will try to find a substitute, the report states.
The study also compared the cost of data breaches in different regions, finding that data breaches are the costliest in the U.S. and the Middle East, and least costly in Brazil and India. U.S. companies experienced the highest average cost of a breach at $7.91 million, followed by the Middle East at $5.31 million. The lowest total cost of a breach was $1.24 million in Brazil, followed by $1.77 million in India.
One major factor impacting the cost of a data breach in the U.S. was the reported cost of lost business, which was $4.2 million—more than the total average cost of a breach globally, and more than double the amount of "lost business costs" compared to any other region surveyed, according to the study. One major factor impacting lost business costs is customer turnover in the aftermath of a breach; in fact a recent IBM / Harris poll report found that 75 percent of consumers in the U.S. say that they will not do business with companies that they do not trust to protect their data.
In the past five years, the amount of mega breaches (breaches of more than 1 million records) has nearly doubled—from just nine mega breaches in 2013, to 16 mega breaches in 2017. Based on analysis of 11 companies experiencing a mega breach over the past two years, this year's report used statistical modelling to project the cost of breaches ranging from 1 million to 50 million compromised records. Key findings include that the average cost of a data breach of 1 million compromised records is nearly $40 million dollars. At 50 million records, the estimated total cost of a breach is $350 million dollars.
What’s more, the vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error). And, the average time to detect and contain a mega breach was 365 days—almost 100 days longer than a smaller scale breach (266 days).
For mega breaches, the biggest expense category was costs associated with lost business, which was estimated at nearly $118 million for breaches of 50 million records—almost a third of the total cost of a breach this size.
The study also examines factors which increase or decrease the cost of the breach, finding that costs are heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time. The average time to identify a data breach in the study was 197 days, and the average time to contain a data breach once identified was 69 days. Companies who contained a breach in less than 30 days saved over $1 million compared to those that took more than 30 days ($3.09 million vs. $4.25 million average total).
The amount of lost or stolen records also impacts the cost of a breach, costing $148 per lost or stolen record on average. The study examined several factors which increase or decrease this cost and found that having an incident response team was the top cost saving factor, reducing the cost by $14 per compromised record. The use of an AI platform for cybersecurity reduced the cost by $8 per lost or stolen record, according to the study, and companies that indicated a "rush to notify" had a higher cost by $5 per lost or stolen record.
The report also examined the effect of security automation tools which use artificial intelligence, machine learning, analytics and orchestration to augment or replace human intervention in the identification and containment of a breach. The analysis found that organizations that had extensively deployed automated security technologies saved over $1.5 million on the total cost of a breach ($2.88 million, compared to $4.43 million for those who had not deployed security automation).
"The goal of our research is to demonstrate the value of good data protection practices, and the factors that make a tangible difference in what a company pays to resolve a data breach," Dr. Larry Ponemon, chairman and founder of Ponemon Institute, said in a statement. "While data breach costs have been rising steadily over the history of the study, we see positive signs of cost savings through the use of newer technologies as well as proper planning for incident response, which can significantly reduce these costs."