In 2014, the Ponemon Institute published the 2014 Cost of Data Breach Study that includes interesting cost information related to remediation efforts undertaken by 61 companies that operate in the United States.
The study reports that the average remediation cost for each lost or stolen record containing confidential or sensitive information was $201. The average total cost of remediation efforts was $5.85 million per incident.
The number of breached records per incident studied ranged from 5,000 to slightly more than 100,000 records. The average number of breached records in the Study was 29,087. The average cost of $201 per record represents a 7% increase over the average of $188 per record found in Ponemon’s 2013 study.
In responding to a breach, businesses incur more in indirect costs than direct costs. The Ponenon study explains that direct costs refer to what companies spend to minimize the consequences of a data breach and to assist victims. These costs include engaging forensic experts to help investigate the data breach, hiring lawyers to help manage the breach and any required notification or third party claims, and offering identity protection services to impacted data subjects. The study reports that $67 or 33% of the $201 per compromised record was spent on direct costs. On average companies spent 8.6% of the average $5.9 million per incident – roughly half a million dollars – on notification costs as a direct expense.
Indirect costs are costs incurred in regard to existing internal resources to deal with the data breach. The report calculates that $134 or 67% of the $201 per compromised record is made up of these costs. These costs include the amount of time, effort and other organizational resources spent, but not direct out-of-pocket expenditures. Included as an indirect cost is the amount of time employees spend on data breach notification efforts.
Most businesses also incur lost opportunity costs associated with a breach incident. This results from diminished trust or confidence by present and future customers. As the study notes, the negative publicity associated with a data breach incident causes reputation effects that result in abnormal turnover rates and a diminished rate of new customer acquisitions. The study researched this effect and found that lost customer business and customer acquisition costs amounted to 42% of the total cost $5.85 million per incident – roughly two and half million dollars. These costs are indirect, but very real.
The study quantifies what is commonly known. When a business suffers a data breach that requires notification of the incident, the direct and indirect costs are significant. It’s not surprising that the study also includes a chart which shows a direct linear correlation between the number of compromised records and the cost of the response.
Interestingly, the study found that those businesses that had an incident response plan in place before the breach occurred spent on average $17 less than the overall average $201 per compromised record. That may not seem like a lot of money, but it’s nearly 8.5%. When applied to an average cost for data breach of $5.85 million, a savings of 8.5% is nearly a half million dollars. For insight into how to develop an incident response plan, see our post – Do You Have Data Breach Response Plan?