Cost of data breaches rose in 2013, study finds

By Erin Ayers on May 7, 2014

sneakyspyThe average cost paid by organizations hit with a data breach increased last year, largely due to the fact that more consumers end their relationships with compromised companies, according to a new report from the Ponemon Institute.

“In the past two years, we reported a small but steady decline in what organizations were paying to deal with a data breach,” the authors of the study said. “This year, both the cost of a data breach for organizations and the cost per lost or stolen record have increased.

“The primary reason for the increase is the loss of customers following the data breach due to the additional expenses required to preserve the organization’s brand and reputation. In fact, the average rate of customer turnover or churn increased by 15 percent since last year.”

Ponemon reported that the average cost per lost or stolen record rose to $201 from $188, and average costs paid by organizations rose to $5.9 million from $5.4 million. The cost of lost business increased from $3.03 million to $3.2 million, the study found. Breaches occurred primarily because of “malicious or criminal attacks” (44 percent) rather than any negligence (31 percent) or system problems (25 percent).

Significantly, the study found that proper business continuity management provides the ability to cut the costs of a breach – by an average of $13 per record. This study represents the first time Ponemon has been able to quantify the effect of planning on data breaches. The firm also found that organizations with strong security profiles and formal incident response plans fared better, with the average cost of the breach dropping by up to $21. Appointing a chief information security officer (CISO) contributes favorably as well.

On the other hand, Ponemon identified actions that could increase the cost of a breach. Notifying consumers too quickly, without a thorough investigation, boosted costs by an average $15 per record.

Ponemon said it doesn’t include breaches with more than 100,000 comprised records, finding that less representative of the type of breaches experienced by most organizations. The average number of records studied was 29,087.

Finally, the study attempted to measure the probability that an organization would be at risk for a breach.

“Specifically, U.S. public sector organizations and retail companies are far more likely to have a breach. Energy and industrial companies are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records,” Ponemon said.'

Erin is an editor at Advisen. She has 15 years of journalism experience. Prior to Advisen, Erin covered property-casualty insurance for 13 years as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].