Data Breach Costs Study: Response, Containment Increase


The total average cost of responding, containing and reporting a data breach increased significantly, rising 15 percent to $3.5 million in 2013, according to an annual report that has been tracking expenses for nearly a decade.

The Ponemon Institute's Cost of Data Breach Study analyzed data breaches in 314 companies in 16 industry sectors and tracked cost estimates provided during interviews with nearly 1,700 executives about the costs incurred during each firm's response and cleanup efforts. The report, sponsored this year by IBM, found breaches involving lost or stolen devices or a serious lapse by a third-party business partner were often related to the costliest data breaches.

"The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers," said Larry Ponemon, founder and chairman of the Ponemon Institute, in his analysis of the report. "Our report also shows that certain industries, such as pharmaceutical companies, financial services and health care, experience a high customer turnover."

[Related: Verizon 2014 Data Breach Report: The Bad Guys Are Winning]

Costs associated with a breach vary by country, depending on threats in the region and local data protection regulations and laws, Ponemon said. The average consolidated data breach cost increased from $136 to $145 per record. German and U.S. organizations, on average, experienced much higher costs at $195 and $201, respectively, Ponemon said. The analysis mirrors the firm's 2013 breach costs analysis

A strong security posture can significantly reduce data breach costs, according to the Ponemon analysis. Organizations that were able to contain costs often had a strong security posture, appointed a chief information security officer, and created and proactively tested its incident response plan, according to the report. By contrast, firms that had no senior leadership responsible solely for security suffered the most expenses. Those companies often were quick to notify about a breach, often reporting to authorities before the full extent of the security lapse was fully understood and contained, the report found.

For the first time, the Ponemon Report also found cyberinsurance playing an important role in not only containing breach costs, but also forcing businesses to establish a stronger security posture, Ponemon said. The report found that 32 percent of organizations it studied had an insurance policy to manage the risk of cyberattacks and threats. Many of the organizations had mature security programs, according to the report, and more than half (54 percent) indicated they were satisfied with the coverage.

"While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite," Ponemon said in the report. "Those companies with good security practices are more likely to purchase insurance."

NEXT: Calculating Risks Key In Containing Costs, Say Solution Providers