The 2016 Cost of Data Breach Study: A Summary

The Ponemon Institute has conducted an annual benchmark study on the cost of data breaches for the last decade. Their 2016 Cost of Data Breach Study was published by the Institute earlier this week. The overall report shows the cost of breach resolution has continued the upward trend of recent years. IBM sponsors the study.

The study indicates the average total cost of the breach response and resolution has increased to $7.01 million. This is up from $6.53 million in 2015; a rise of 7% year on year. Ponemon puts the average cost per compromised record at $221; rise of 2% ($4) from last year’s figures.

The 2016 cost of data breach study was conducted on 383 organizations around the world, including companies based in Australia, Brazil, Canada, France, Germany, India, Italy, Japan, Saudi Arabia, the United Arab Emirates, and the United Kingdom. The global average data breach cost increased from $154 per record to $158 per record. Furthermore, the total cost increased from $3.8 million to $4 million per data breach.

Sixty-four companies based in the United States took part in this year’s benchmark study, and 16 industry sectors were represented.

Approximately 11% of organizations taking part in the 2016 Cost of Data Breach Study were from the healthcare industry.

Under federal and state laws, each company that had experienced a breach of sensitive information and was required to issue notifications to affected individuals. Ponemon gathered data for the study over a period of 10 months and interviewed a number of individuals in each company in order to obtain cost estimates of responding to a specific data breach.

Key Figures

Ponemon only includes data breaches that have exposed fewer than 100,000 records, in order not to skew results due to massive settlements in large cases. That said,  this year the breach incidents exposed between 5,125 and 101,520 records. The average records exposed or stolen per incident was 29,611.

The definition of a data breach used by the Ponemon Institute was “a breach of data that involved individuals’ names in addition to either Social Security numbers, financial records, debit/credit card numbers, or medical records”. Both paper and electronic record breaches  were included in this year’s study.

The average total cost of a data breach increased by 7% over the course of the past year, and the cost per compromised record increased by 2%.  One of the reasons for this is the increase in the size of data breaches and an increase in “abnormal churn,” which is a greater than expected loss of customers following a breach of sensitive information. The average size of a data breach increased by 5% this year, and abnormal churn increased by 3%. Abnormal churn rate was highest in healthcare, technology, finance, life science, and the service industries.

Heavily regulated industries have a higher per capita data breach resolution cost than other industries.  In particular, the healthcare industry facing the highest costs. The cost of a healthcare data breach was calculated to be $402 per record. This is considerably more than the second highest cost per record, in the life science industry. This only faced costs of $301 per record. The financial services industry was in third place with an average cost of $264 per compromised record.

Public sector breaches cost the least to resolve out of the 16 industries covered by the study, requiring a spend of only $86 per record. The average cost of $221 per record across all industry sectors is a new record high since data started being collected.

The cost per record of a breach can be broken down into its components. This works out as $76 for direct costs such as the purchasing of additional technology and legal fees, and $145 for indirect costs such as loss of business.

The 2016 cost of data breach study shows the primary cause of data breaches was attacks by malicious attacks, which accounted for 50% of all data breaches. 23% of reported data breaches were the result of employee negligence, while 27% were caused by system glitches and business process failures. Malicious attacks proved to be the costliest to resolve.

Ponemon discovered that the cost of detection of breaches and escalation had increased significantly in recent years. It is now at a record high. The average cost for detection and escalation was $0.61 million in 2015, and has risen to $0.73 million in 2016. Detection and escalation costs include forensic analysis, audit services, assessments, crisis team management, and communicating to executive management and the board of directors. Notification costs increases slightly from $0.56 million last year to $0.59 million in 2016.

Ponemon determined the average time taken to identify a data breach was 191 days and the average time to contain a breach was 58 days. Fast detection of a data breach can help to reduce the cost of resolution. The cost of identifying a data breach was $5.83 million when the mean time to identify a data breach was less than 100 days, and $8.01 million when the mean time to identify a data breach was greater than 100 days.

The cost of breach resolution can be significantly reduced if a plan is in place before a breach even occurs. The mean time to contain a data breach was $5.24 when containment was achieved within 30 days, and $8.85 million when containment took longer than 30 days.