It cost U.S. companies hit by data breaches last year an average of $5.4 million to cope with the after-effects – up 9% from the year before, according to the ninth annual Ponemon Institute study published Monday.
On average, it cost $201 per record lost, up from the $188 the year before, based on Ponemon’s analysis of costs from the loss or theft of personal data incurred by 61 U.S.-based organization in more than two dozen industry sectors. Ponemon’s “2014 Cost of Data Breach Study: United States” concludes that the main reason for the steep increase in costs is “the loss of customers following the data breach due to additional expenses required to preserve the organization’s brand and reputation.”
Ponemon’s IBM-sponsored research included interviews with over 500 individuals directly involved at the victimized companies and government agencies. In 2013, there appeared to be what Ponemon refers to as “an abnormal churn rate” of 15% in customers abandoning companies – especially those in financial services -- hit by a breach.
Ponemon points out the 9% increase in breach costs is a big change from the past few years when breach costs either did not drop or rose only a bit. The cost stood at $214 per record lost in 2011. Factors in tallying data-breach costs include everything from forensics experts, outsourcing hotline support and free credit monitoring subscriptions, discounts to customers to make amends, in-house investigations, legal and all the extra work that mounts up after a breach.
Heavily regulated industries such as healthcare, transportation, energy, financial services, communications, pharmaceuticals and manufacturing tend to have a higher per capita breach cost, the report says. Health topped the charts at an average $316 per record lost, with transportation close behind at $286. The sectors defined as “hospitality” and “research” had the lowest cost, at $93 and $73 respectively.
Based on its analysis, Ponemon has ventured to make predictions on “the probability of a data breach based on two factors: how many records were stolen and the company’s industry.” The outfit says public-sector organizations in government and retail companies are “more likely” to be at risk of a breach than others, while “energy and industrial companies” are least at risk.
Ponemon also today published a global study on data-breach cost issues, in which 314 organizations in the U.S., United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates and Saudi Arabia participated on an anonymous basis. The study found a wide difference in data-breach costs, with the U.S. and Germany suffering the highest average tallies at $201 and $195 per customer record respectively, and Brazil and India the lowest, at $70 and $50. The study did not delve into exactly why that might be but said that the regulatory environment appears to be a factor. Healthcare in general is believed to have faced the highest per-capita cost per industry at $359 and the public sector the lowest at $100.
Malicious and criminal attacks are cited most frequently as the root cause for data breaches globally, comprising 42% of incidents, while 30% were blamed on a negligent employee or contractor, and 29% on “system glitches” related to both technology and business process failures. In the U.S. (see chart) this was roughly the pattern as well.
Data breaches resulting from malicious or criminal attacks on U.S. companies led to higher costs, at $246 per compromised record on average, in comparison to $171 for a “system glitch” and $160 for “human error.”
Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org