Cost of Data Breaches Rising Globally, Says ‘2015 Cost of a Data Breach Study: Global Analysis’ by Larry Ponemon
Symantec Corporation and Ponemon Institute are pleased to present the 2013 Cost of Data Breach: Global Analysis, our eighth annual benchmark study concerning the cost of data breach incidents for companies located nine countries. Since 2009, we have provided a consolidated report of the benchmark findings from all countries represented in the research.
In this report, we present both the consolidated findings and country differences.The number of global organizations represented this year has grown to 277 in nine countries. More than 1,400 individuals were interviewed for this study during a ten-month period. In last year’s report, 199 organizations from eight countries participated in this benchmark research.
As the findings reveal, the average per capita cost of data breach (compiled for nine countries and converted to US dollars) differs widely among the countries. Many of these cost differences can be attributed to the types of attacks and threats organizations face as well as the data protection regulations and laws in their respective countries. In this year’s global study, the average consolidated data breach increased from $130 to $136. However, German and US organizations on average experienced much higher costs at $199 and $188, respectively.
Ponemon Institute conducted its first Cost of Data Breach Study in the United States eight years ago. Since then, we have expanded the study to include the United Kingdom, Germany, France, Australia, India, Italy, Japan and, for the first time this year, Brazil. To date, 965 business and government (public sector) organizations have participated in the benchmarking process since the inception of this research series.
As mentioned above, this year’s study examines the costs incurred by 277 companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data. It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents. They are based upon cost estimates provided by the individuals we interviewed over a ten-month period in the companies that are represented in this research.
The number of breached records per incident this year ranged from 2,300 records to more than 99,000 records. This year the average number of breached records was 23,647. We do not include organizations that had data breaches in excess of 100,000 because they are not representative of most data breaches and to include them in the study would skew the results.
The report examines a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response. We also analyze the economic impact of lost or diminished customer trust and confidence as measured by customer turnover or churn.
The following are the most salient country differences measured in US dollars:
- The most and least expensive breaches. German and US companies had the most costly data breaches ($199 and $188 per record, respectively). These countries also experienced the highest total cost (US at $5.4 million and Germany at $4.8 million). The least costly breaches occurred in Brazil and India ($58 and $42, respectively). In Brazil total cost was $1.3 million and in India it was $1.1 million.
- Size of data breaches. On average, Australian and US companies had data breaches that resulted in the greatest number of exposed or compromised records (34,249 and 28,765 records, respectively). On average, Italian and Japanese companies had the smallest number of breached records (18,285 and 18,237 records, respectively).
- Causes of data breaches differ among countries. German companies were most likely to experience a malicious or criminal attack, followed by Australia and Japan. Brazilian companies were most likely to experience breaches caused by human error. Companies in Indian were the most likely to experience a data breach caused by a system glitch or business process failure.
- The most costly malicious and criminal attacks. Consolidated findings show that malicious or criminal attacks are the most costly data breaches incidents in all nine countries. US and German companies experience the most expensive data breach incidents at $277 and $214 per compromised records, respectively. Brazil and India had the least costly data breach caused by malicious or criminal attackers at $71 and $46 per capita, respectively.
- Factors that decrease the cost. US and UK companies received the greatest reduction in data breach costs by having a strong security posture, incident response plan and CISO appointment. The US and France received the greatest cost reduction from the engagement of consultants to support data breach remediation.
- Factors that increase the cost. US companies realized the greatest increase in data breach costs if caused by a third party error or quick notification of data breach victims, regulators and other stakeholders. UK companies had the greatest increase in the cost of data breach if the incident involved a lost or stolen device.
- Countries that lose the most customers following a data breach. France and Australia had the highest rate of abnormal customer turnover or churn following a data breach. In contrast, Brazil and India had the lowest rate of abnormal churn. In the context of this study, abnormal churn is defined as the customer turnover caused by the data breach (above the churn experienced in the normal course of business).
- Countries that spend the most and least on detection and escalation. On average, German and Australian organizations spent the most on such detection and escalation activities as investigating and assessing the data breach ($1.3 million and $1.2 million, respectively). Organizations in India and Brazil spent the least on detection and escalation at $359,406 and $358,478, respectively.
- Countries that spend the most and least on notification. Some typical notification costs include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts and other efforts to make sure victims are alerted to the fact that their personal information has been compromised. US and Germany organizations on average spent the most ($565,020 and $353,927, respectively). Brazil and India spent the least amount on notification ($53,063 and $22,232, respectively).