Average data breach costs £4.25M

News by Ashley Carman

In a year already characterised by huge data breaches at healthcare organisations and at major government entities, it's no surprise that victims' personal information is a hot commodity.

An annual study from the Ponemon Institute and IBM released on Wednesday found that the average cost per capita cost in a data breach increased to US$ 217 (GBP£ 142) in 2015 from $201 (£131.64) in 2014. Plus, the average total cost of a data breach increased to $ 6.5 million (£4.25 million) from $5.8 million (£3.8 million) the prior year.

The U.S. looked at 62 companies in 16 industry sectors after they experienced the loss or theft of protected personal data and then had to notify victims.

The cost per record takes into account indirect costs, such as abnormal turnover or churn of customers, as well as direct costs caused by the breach itself, including technology investment and legal fees. Only $74 (£48.4) was attributed to direct costs.

The study also noted, however, that not all records are seen as equal when stolen. Health records have an average cost of $398 (£260) each, whereas retail records cost $189 (£123.70) each.

Caleb Barlow, VP of security at IBM, said in an interview with SC that these cost discrepancies aren't surprising, given what can be done with the various records.

“A credit card [that can be gained from retailers] is something that the risk of it is really from the time it's breached until the credit card is replaced,” he said. “The half-life is a very limited period of time versus a health care record that never changes. When the genie's out of the bottle you're not getting her back in.”

He went on to say healthcare breaches could impact victims for decades.

The study also identified factors that could both positively and negatively affect the cost of a data breach.

Having an incident response plan and team in place, for example, decreased the average cost to $193.2 million (£126.44 million). On the other hand, third -party breaches increased the average cost to $246 million (£161 million).

These findings, Barlow said, reflect the necessity to plan ahead for breaches.

“[Data breach planning] should be at the same level you would consider any other major business risk,” he said. “It requires the same level of planning, the same level of rehearsal and the same level of practice.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews