Cost of a Data Breach

Nicholas J Price
Companies in all industries need to keep their guards up due to the frequency and rising costs of data breaches. In particular, the healthcare industry has incurred the highest costs for the tenth year running. The nature of the breach and the size of the organization are also factors in the high cost of a data breach.

Small and medium-size companies that earn $50 million or less in annual revenue are more vulnerable to failure after a data breach. The average cost of a data breach for companies that employ fewer than 500 employees is $2.5 million, or 5% of their revenue. Many of them fail within six months after a data breach.

Data Breach Costs Continued to Rise in 2019

The most recent comprehensive study on data breaches for 2019 was conducted by the Ponemon Institute for IBM Security. The study included interviews with 3,211 respondents from over 500 companies that had experienced a cyber breach within the last year. The researchers used an activity-based costing method that assigns a cost to each variable based on actual use. The analysis also took hundreds of cost factors into account, including legal, technical and regulatory costs as well as loss of brand equity, customers and employee productivity.

The Institute found that the cost of a data breach rose 12% over the last five years, bringing the total cost of a data breach to $3.92 million, on average. The reasons for the increase include the multi-year financial impact, the cost of increased regulation and the complexity of resolving criminal attacks. On average, criminals steal 25,575 records. The cost for every breached record is up from $148 last year to $150 this year.

Cost of a Data Breach By Industry

Costs for data breaches are the highest in the United States, with the average cost reaching $242 per record, or a total of $8.19 million.

Impact of Data Breaches on the Healthcare Industry

Across the globe, the healthcare industry continues to top the list of the highest breach costs. Healthcare organizations pay around $6.45 million to mitigate costs. Data breaches also cost substantially more in the healthcare industry. The most recent statistics indicate that data breaches cost 65% more for healthcare organizations than other industries, which equates to $15 million in the United States. Per record, the average cost of a healthcare breach is $429, up from $408 last year, which is an increase of 5.15%.

Impact of Data Breaches on the Financial Services Industry

The financial services industry runs a close second to the healthcare industry in data breach costs. The average cost of each breach is $210 per record, which is still only half the cost of healthcare records.

For example, Capital One's servers were hacked, affecting over 100 million U.S. customers. The data that was leaked included credit scores, credit card limits, balances, credit history, home addresses, Social Security numbers and bank account numbers.

First American Financial experienced a massive breach of over 800 million records due to an internal problem. Unbeknownst to the company, a flaw in the design of the database opened up critical data to the public. Anyone on the internet could view mortgage information, tax information, Social Security numbers and bank information.

Staff at Ascension misconfigured a server and exposed around 24 million financial and bank documents related to loans and mortgages. No passwords were required to obtain names, addresses, birthdates, Social Security numbers, bank account numbers, tax documents and more. The information wasn't protected from hackers, and it's unknown whether any information was stolen.

An Experian report also showed that consumers lost confidence in financial institutions that had a breach. Around 66% of people said they'd leave a company that had a poor response after a breach. About 45% of them would tell their friends to leave the bank too. About 90% of respondents would be willing to forgive a company that had a resolute post-breach communication plan in place.

Impact of Data Breaches on the Educational Industry

The exact impact of data breaches in education is unknown because many incidents aren't reported. In the first six months of 2017, the number of breaches in the educational sector doubled. Schools at all levels were attacked, including higher education. Among the information hackers stole was taken from financial aid apps and patient data.

The K-12 Cybersecurity Resource Center reports that there were 122 known cybersecurity incidents in 38 states last year. Incidents included data that was disclosed by current and former staff, disclosure of data by students intentionally or not, data disclosed by vendors or others outside the school, and data disclosed by malicious actors.

Minimizing Costs After a Data Breach

IBM's study also identified that organizations that had an incidence response team and who developed and tested an incidence response plan reduced their breaches by $1.23 million. The study also showed that the faster organizations acted, the less they paid in data breach costs. Companies that were able to remediate a breach within 200 days save $1.2 million, on average, in data breach costs.

Costs Continue After a Data Breach

While companies will quickly learn about the costs of a data breach, they will likely feel the impact for several years after an incident. About 67% of the costs of a breach come in the first year. Companies will face another 22% of costs in the second year and 11% in the third and following years. Highly regulated industries like healthcare usually incur costs even longer.

In addition to costs, many companies also face losing business over a data breach. Loss of business was the biggest cost over the last five years, encompassing 35% of total breach costs. Once again, the costs were higher in the healthcare industry, to which most patients refused to return after a breach.

Malicious Attacks Are Costly and Common

The most common types of data breaches were malicious attacks, which made up 51% of the attacks. Malicious attacks cost about 25% more than other attacks, making them costlier than issues created by system glitches or human error. Between 2014 and 2019, malicious attacks increased by 21%.

There are no signs that the frequency or costs of data breaches will decline in the near future. That's sufficient reason for boards to consider using a highly secure board management system by Diligent. The security system is built directly into the system and it's hosted on secure servers and a world-class infrastructure that Diligent owns and operates. Diligent solutions are ISO- and TRUSTe-certified and internationally audited, with robust customizable encryption and data access. If a device is lost or compromised, remote-wiping capabilities allow you to mitigate risk swiftly.
Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.