Prepare for a Data Breach or Face the $6.5 Million Consequence: a New Study Shows the Increasing Costs of Data Breaches

Posted by Craig CarpenterRecent data breaches have made for splashy (and even salacious) headlines, but a recently-released study reminds us of the business reality that data breaches result in massive costs for affected companies. In the 2015 Cost of Data Breach Study: United States (sponsored by IBM), Ponemon Institute, an organization that conducts independent research on privacy, data protection and information security policy, examines the impact of data breaches on various U.S. companies that were victims in the last year. The study provides interesting insight regarding data breach trends and breach response costs. The study focuses on “average” size data breaches—the type that most companies may face—rather than enormous million-plus record data breaches. The study provides a salient reminder for companies that data breaches can have huge impacts on the bottom line.The study’s findings include:-          The average cost of a data breach in the study was $6.5 Million.-          The average cost per stolen record has increased from $201 last year, to $217 per record.-          Heavily regulated industries (such as healthcare, financial, energy and transportation) tend to have higher costs.-          Malicious attacks were the primary cause of the attacks studied, followed by attacks due to negligent employees.-          Effective preparation can reduce the cost of a data breach.The full study is available at: (Reg. Required).What does this mean for companies?The study confirms that data breaches continue to be a growing threat. With average remediation costs around $6.5 Million, companies can no longer ignore this threat; however, the study also confirms preparation (including steps that we have previously discussed on this blog – here, here and here) can go a long way to reduce the costs when the inevitable occurs. In light of these unsettling findings, companies should make data security a priority. Some steps companies should consider to make data security a priority include:-          Identify and understand the sensitive data that your company collects and your system’s vulnerabilities;-          Establish and maintain appropriate administrative, physical and technical safeguards for sensitive information;-          Establish and maintain an Incident Response Plan;-          Have an Incident Response Team in place;-          Establish and maintain a company-wide Data Security Policy;-          Train employees regarding best practices to maintain of data security;-          Involve the Board/Management in data security;-          Review third party vendor agreements for data protection and breach liability clauses; and-          Consider cyber security insurance protection (especially in light of the costs identified in the study).