So There’s Been a Data Breach: What Will That Cost?

It’s well-known that most companies collect, store and use the personal information of their customers and employees. This is valuable and proprietary information and most companies take steps to safeguard this information from attack or inadvertent disclosure. Yet, no security is perfect and despite efforts to secure the information, it’s often not a matter of whether, but when, a company will suffer a data breach.

In May 2013, the Ponemon Institute released its 2013 Cost of Data Breach Study: Global Analysis (“Ponemon Study”), indicating that the average cost of a data breach for US companies in $188 per record. Notably, the Ponemon Study is based on a consumer perspective and the cost per record includes hard costs (consumer notification, remediation, ID theft services) of approximately $60/record and soft costs (lost business, diminished goodwill) of approximately $128/record. Based on an average 28,765 records per US breach, the Ponemon Study identifies a total organization cost of $5,403,644 per data breach--a dollar amount that should catch the attention of the C-suite.

In October 2012, NetDiligence released its whitepaper Cyber Liability & Data Breach Insurance Claims: A Study of Actual Payouts for Covered Data Breaches that examines data breach costs from an insurer’s perspective (“NetDiligence Study”). The NetDiligence study indicates that the average cost of a data breach for US companies (based on hard costs as identified in insurance claims) is $3.94/record. This is based on an average of 1.4 million records per breach and an average cost of $3,700,000 per data breach.

While the Ponemon Study and Net Diligence Study are based on different approaches and yield different results, they both indicate the seriousness and financial implications of a data breach. Companies should continue to evaluate these types of reports as they implement plans, procedures, and tools to defend against, mitigate, and respond to data security threats.