Tech & Sourcing @ Morgan Lewis


A common concern of parties involved in technology transactions is the potential high costs incurred in the event of a data breach. In an attempt to establish the legitimacy of the amounts one can actually expect to face, the Ponemon Institute, considered the preeminent research center dedicated to privacy, data protection, and information security policy, published the Cost of a Data Breach Report setting forth a vast data set that analyzed data breaches at over 500 organizations to spot trends and developments in security risks and best practices.

The key findings include the following:

  • The average cost of a data breach globally declined slightly year-over-year from $3.92 million in 2019 to $3.86 million in 2020.
  • Customers’ personally identifiable information (PII) was the most frequently compromised type of data as 80% of breached organizations stated that customer PII was compromised during the breach.
  • While the global cost of a data breach in 2020 was $3.86 million, the average cost of a data breach in the United States was much higher. The United States continued to experience the highest data breach costs in the world at $8.64 million on average.
  • The costs associated with data breaches in the healthcare industry soared 10.5% over 2019 and for the 10th year in a row healthcare continued to have the highest average breach costs at $7.13 million.
  • The energy sector also saw a large increase in data breach costs by rising 14.1% to an average of $6.19 million.
  • Despite big increases in the healthcare and energy sectors, overall 13 of the 17 industries studied experienced an average total cost decline in breach costs.
  • 52% of data breaches are caused by malicious attacks.
  • The average time to identify and contain a data breach is 280 days. The average time to identify and contain varied widely by industry. For example, in healthcare the average time for identifying and containment came in at 329 days as opposed to 233 days in the financial sector. The average cost savings of containing a breach in less than 200 days vs. more than 200 days is $1.12 million.

There is a great deal of fear surrounding potential costs associated with data breaches and parties often spend a large amount of time negotiating proper liability caps regarding this topic. The Cost of a Data Breach Report provides tangible data that can assist businesses in determining an appropriate liability cap.

Read the full report.