By LYNN WANGERIN
Stoll Keenon Ogden PLLC
Data breaches are becoming more prevalent among companies located in the U.S., and recovering from them is becoming more expensive.
According to the 11th annual benchmark study conducted by the Ponemon Institute, the average total cost to resolve a data breach increased by 7 percent since the 2013 study, to a staggering $7.01 million. The average cost for each lost or stolen record containing sensitive information increased by 2 percent, from $217 to $221 per record.
The 2016 study examined costs incurred by 64 U.S. companies in 16 industry sectors. Data breaches involving more than 100,000 compromised records were not included in the results as the institute found that breaches incurred by most organizations averaged 29,611 compromised records.
The report provides information regarding trends gleaned from research as well as findings on factors that generate higher costs and factors that reduce the costs of data breaches.
Over the years, results from the Ponemon studies have revealed these trends:
- The cost of a data breach has not fluctuated significantly, suggesting that the cost should be incorporated by businesses in data protection strategies.
- The biggest financial consequence of a data breach is lost business which, not surprisingly, is greater in certain industries such as the financial, health, technology, life sciences and service industries. Organizations should include in any plan steps to keep or retain customer trust.
- Most data breaches continue to be caused by criminal and malicious attacks which take the most time to detect and contain, and therefore have the highest cost per record.
- The costs of data breaches are higher for entities in regulated industries, such as healthcare and financial services, because of fines and higher than average loss of business.
- Improvements in data governance programs often result in cost savings. These may include having incident response plans in place, appointing a CISO, implementing employee training and awareness programs, and having a business continuity management strategy in place.
- Investment in data loss prevention controls, encryption programs, endpoint security solutions and threat sharing reduced costs.
Three factors were found to increase data breach costs the most:
- Third party errors
- Extensive migration to the cloud
- Rush to notify
Third party involvement resulted in the highest increase with a $20.30 surge in cost per record lost or stolen, with cloud migration coming in second with an increase of $15.40.
The Lesson to Learn
Businesses should carefully choose third party vendors and ensure that vendor agreements require vendors to maintain standards to mitigate risk, and to take responsibility in the event of a breach. At a minimum, vendor agreements should provide for an equitable sharing of the risk and costs if a breach occurs.
Many vendor agreements include provisions limiting vendor liability which, if not modified to except out a data breach, can leave the customer with all of the costs of the breach. Requiring vendors to carry appropriate insurance and, in certain circumstances, name the customer as an additional insured may help mitigate the risk.
The risks and costs of data breaches are not likely to lessen, so planning and taking steps to mitigate and deal with a data breach will need to be part of the strategy of most, if not all, businesses.