The Ponemon Institute, which conducts independent research and offers strategic consulting on privacy, data protection, and information security policy, recently released its 2016 Cost of Data Breach Study: Global Analysis (2016 Study) identifying global trends in costs associated with data breaches and the implications for organizations. Ponemon conducts the study annually with the goal of quantifying the economic impact of data breaches and observing cost trends over time. According to Ponemon, “a better understanding of the cost, the root causes and factors that influence the cost will assist organizations in determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.”
The 2016 Study—which included 383 companies in 12 countries—found that, in comparison to the results of the 2015 study, the average total cost of a data breach increased from $3.79 million to $4 million, and the average total cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 to $158. Further, Ponemon’s analysis of the results places the likelihood of an organization having at least one material data breach (at least 10,000 lost or stolen records) within the next 24 months at 26%.
We’ve included some highlights from the 2016 Study below:
- Even with the cost of data breaches once again increasing (as noted above), the overall cost of data breaches has not fluctuated significantly in the 11 years since Ponemon began conducting its annual study. Ponemon describes this as an indication that these costs are a “permanent cost organizations need to be prepared to deal with and incorporate into their data protection strategies.”
- Lost business—including abnormal turnover of customers, increased customer acquisition activities, reputational losses, and diminished goodwill—represent the largest financial consequences to organizations that experience a data breach. Further, the costs associated with lost business were highest in the United States as compared to other countries.
- Criminal and malicious attacks continue to be the most common cause of data breaches. The 2016 Study found that 48% of all breaches were caused by such attacks.
- The cost of data breaches varies by industry, with average costs per stolen record ranging from $355 (healthcare) to $80 (public sector). The most costly data breaches occur in regulated industries like healthcare and financial services, which is due in part to fines and an increased rate of lost business.
- Concerted data governance efforts and programs, including incident response times, appointment of a chief information security officer, and appropriate business continuity management strategy, continue to result in cost savings.