Choose Site


Tech & Sourcing @ Morgan Lewis


This July, the 2018 Cost of Data Breach Study: A Global Overview was released as an independent study by Ponemon Institute, LLC, sponsored by IBM Security. The study breaks down the rising costs of data breaches and the likelihood of an organization experiencing a future data breach, with information derived through interviews with more than 2,200 professionals from 477 organizations that have experienced a breach in the last 12 months.

The study does not focus on “mega breaches,” which are breaches that exceed 1 million records. However, for the first time this year the annual study offers separate insights into data breaches that resulted in the exposure of more than 1 million compromised records:

  • Mega breaches of 1 million records yield an average total cost of $40 million
  • Mega breaches of 50 million records yield an average total cost of $350 million

The study shows that across the board the cost of data breaches rose from last year:

  • Average total cost of a data breach increased 6.4%, from $3.62 million to $3.86 million.
  • Average cost for each lost record increased 4.8%, from $141 to $148.
  • Average size of the data breaches in the study increased by 2.2%.
  • Average global probability of a material breach in the next 24 months increased .2%, from 27.7 to 27.9%, with South Africa at the highest probability (43%) and Germany at the lowest probability (14.3%).
  • The United States is one of the costliest countries in terms of indirect damages, notification costs, post–data breach response costs, and overall cost of data breaches.

The study included the following countries, and broke down the costs related to data breaches into the following four categories:

Saudi Arabia
South Africa
South Korea
United Arab Emirates
United Kingdom
United States
  1. Detection and Escalation: Includes costs related to investigation, audits, crisis management, and internal communications.
  2. Notification Costs: Includes costs related to informing individuals whose information has been breached and communicating with regulators and outside experts.
  3. Post–Data Breach Response: Includes setting up processes to aid those affected by a breach and other remedial actions such as credit monitoring, legal costs, product discounts, opening of new accounts, and government fines.
  4. Lost Business Cost: Includes costs related to lost customers, business disruption and downtime, and the loss of reputation and goodwill.

Additionally, the study details specific factors that can help lower the cost of a data breach, including the following:

  • Senior-level leaders (such as chief privacy officers) and offers of data protection in the event of a breach reduce customer loss due to higher trust in the organization’s response.
  • Clear data classification and retention programs reduce risk and access to records that have the potential to be breached.
  • Speed and efficiency of management around identifying and responding to a breach. The study found that
    • companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more time;
    • companies that contained a breach within 30 days saved more than $1 million, with an estimated average cost of $3.09 million rather than $4.25 million;
    • organizations with an incident response team reduced the cost by $14 per record or more; and
    • extensive use of encryption reduced the cost by $13 per record.
  • Effective management of the post–data breach response.

The study also notes the following:

  • Third-party involvement or cloud migration increased the cost per record.
  • Only 48% of the breaches in the study were caused by malicious or criminal attacks; however, such attacks are significantly more expensive than breaches caused by human error or negligence.

Finally, for the first time the annual study considered two new cost factors:

  • Security Automation: The average cost of a breach for organizations that fully deploy security automation is $2.88 million rather than $4.43 million, a $1.55 million net cost difference.
  • Use of Internet of Things (IoT): The extensive use of IoT devices increased the cost of a data breach by $5 per compromised record.

While the study provided much useful data around factors that contribute to or affect the cost of data breaches for organizations, for better or worse, it’s important to identify and implement best practices to reduce the mounting risks associated with a data breach.