Healthcare continues to be the most expensive industry for data breaches, as healthcare data breaches cost organizations $380 per stolen record, more than twice the average global cost across all industries, according to the 2017 Cost of Data Breach Study.\
What's more, the cost of healthcare data breaches has risen from a per capita cost of $355 last year and from a four-year average of $369, the study found.
Sponsored by IBM Security and conducted by Ponemon Institute, the study surveyed 419 organizations in 13 different countries or regions to quantify the economic impact of data breaches and examine cost trends over time in order to show the costs associated with data breach incidents.
“Data breaches and the implications associated continue to be an unfortunate reality for today’s businesses,” Larry Ponemon, Ph.D., chairman and founder of the Ponemon Institute, said in a statement. “Year-over-year we see the tremendous cost burden that organizations face following a data breach. Details from the report illustrate factors that impact the cost of a data breach, and as part of an organization’s overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services.”
IBM Security also launched a Cost of a Data Breach Calculator, an interactive tool that enables users to uncover trends and learn more about the cost of a data breach directly related to specific industries and security measures.
The study found that the average cost of a data breach is $3.62 million globally, a 10 percent decline since 2016. These data breaches cost companies $141 per lost or stolen record on average, which is a decrease from the $158 per lost or stolen record in last year’s global study. As stated above, at $380 per record, healthcare data breaches cost more than 2.5 times the global average overall cost at $141 per record. Also, within healthcare, the per capita cost has increased by $11 compared to the four-year average of $369.
IBM Security also looked at data breach costs specifically within the U.S. Within the U.S., data breaches cost companies an average of $225 per compromised record. Interestingly, the report breaks down the average cost of a data breach and found that, of that $225 per record, $146 pertains to indirect costs, including abnormal turnover or churn of customers and $79 represents the direct costs incurred to resolve the data breach, such as investments in technologies or legal fees. Healthcare also leads in the U.S. with the highest data breach costs ($380) followed by financial services at $336 per capita.
The researchers broke down the metrics that they used to calculate the cost of a data breach, which included the size of the breach or number of records lost or stolen, the unexpected and unplanned loss of customers following a data breach (churn), the time it takes to identify and contain a data breach, the detection and escalation of the data breach incident and the post-data breach costs, including cost to notify victims.
The report also found that the total average organizational cost of data breaches, in the U.S., reached a new high this year at $7.35 million, a 5 percent increase compared to last year. In examining why the average cost of data breaches in the U.S. increased this year, the researchers found that the average total cost of data breach increased 4.7 percent, the average per capita cost increased by 1.8 percent and abnormal churn of existing customers increased 5 percent.
Certain industries, including healthcare, are more vulnerable to churn, the study found. Healthcare experienced a relatively high abnormal churn rate last year, at 5.5 percent, along with life sciences (5.7 percent) and financial (7.1 percent), and these churn rates impact the overall cost of data breaches.
The researchers concluded, “The implication of this analysis is that industries with the highest churn rates could significantly reduce the costs of a data breach by emphasizing customer retention and activities to preserve reputation and brand value.”
Globally, while the overall cost of data breaches was down, many regions experienced an increased cost of a data breach, and the U.S. wasn’t the only country to experience increased costs in 2017. In the Middle East, organizations saw the second highest average cost of a data breach at $4.94 million – more than 10 percent increase over the previous year. Canada was the third most expensive country for data breaches, costing organizations an average of $4.31 million.
In its analysis, IBM Security identified a close correlation between the response to regulatory requirements in Europe and the overall cost of a data breach. European countries saw 26 percent decrease in the total cost of a data breach over last year’s study. Businesses in Europe operate in a more centralized regulatory environment, while businesses in the United States (U.S.) have unique requirements, with 48 of 50 states having their own data breach laws. Responding to a multitude of regulatory requirements and reporting to potentially millions of consumers can be an extremely costly and resource intensive task, according to the researchers.
According to the global report, “compliance failures” and “rushing to notify” were among the top five reasons the cost of a breach rose in the U.S. “A comparison of these factors suggests that regulatory activities in the U.S. could cost businesses more per record when compared to Europe. For example, compliance failures cost U.S. businesses 48 percent more than European companies, while rushing to notify cost U.S. businesses 50 percent more than European companies. Additionally, U.S. companies reported paying over $690,000 on average for notification costs related to a breach - which is more than double the amount of any other country surveyed in the report,” the report authors stated.
Despite the decline in the overall cost—from $4 million to $3.62 million—companies in this year’s study are having larger breaches. The average size of the data breaches in this research increased 1.8 percent.
Globally, almost half of all breaches (47 percent) were caused by malicious or criminal attacks, resulting in an average of $156 per record to resolve, the study found. Within the U.S., malicious or criminal attacks continue to be the primary cause of a data breach, accounting for 52 percent of incidents. Further, within the U.S., 24 percent of incidents were caused by negligent employees, and another 24 percent were caused by system glitches, including both IT and business process failures.
Factors Influencing the Cost of a Data Breach
The report also outlined the top factors increasing the cost of a breach. The involvement of third-parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost $17 per record. “Organizations need to evaluate the security posture of their third-party providers – from payroll to cloud providers to CRM – to ensure the security of employee and customer data,” the report authors wrote.
For the third year in a row, the IBM Security and Ponemon researchers found that having an Incident Response (IR) Team in place significantly reduced the cost of a data breach, saving more than $19 per lost or stolen. “The speed at which a breach can be identified and contained is in large part due to the use of an IR team and having a formal Incident Response plan. IR teams can assist organizations to navigate the complicated aspects of containing a data breach to mitigate further losses,” the report authors stated.
In addition, encryption and education also were factors shown to have the most impact on reducing the cost of a data breach. Extensive use of encryption resulted in $16 reduction in cost per lost or stolen record, followed by employee training ($12.50 reduction per record).
According to the study, how quickly an organization can contain data breach incidents have a direct impact on financial consequences. The cost of a data breach was nearly $1 million lower on average for organizations that were able to contain a data breach in less than thirty days compared to those that took longer than 30 days. Speed of response will be increasingly critical as new regulatory requirements, such as GDPR which will be implemented in Europe in May 2018, which will require organizations doing business in Europe to report data breaches within 72 hours or risk facing fines of up to four percent of their global annual turnover.
With such significant cost savings in mind, the study revealed there’s room for improvement with organizations when it comes to the time to identify and respond to a breach. On average, organizations took more than six months to identify a breach, and more than 66 additional days to contain a breach once discovered.