The Real Cost of a Data Breach (and Ways to Save)

Posted by Matthew CorneliaIn light of major breaches such as those suffered by Equifax, Home Depot, and Target, the mere mention of the phrase “data breach” is cause for anxiety. And for good reason. Data breaches are difficult to detect, common, and expensive.According to a 2017 study, the average cost of a data breach in the U.S. was $7.35 million, or $225 per record. Globally, that number is lower, but still substantial, with an average data breach cost of $3.62 million, or $141 per record. Perhaps not surprisingly, data breaches are most costly in the healthcare, finance, and service industries—where customers’ sensitive personal information is regularly collected and maintained. And while roughly half of all data breaches were the result of a malicious attack, human error accounted for almost a quarter of all breaches.Costs associated with data breaches fall into two broad categories: direct costs and indirect costs. Direct costs include engaging forensic experts, complying with state notification laws, and improving security systems to prevent future data breaches. Indirect costs include performing internal investigations, training employees, and costs associated with losing clients/customers.The good news is there are steps you can take today to dramatically reduce both the likelihood of a breach and the costs if one does occur. These steps include training employees (including those in IT), encrypting sensitive data, developing an incident response plan, practicing the incident response plan (e.g., “fire drills”), having third-party security assessments, and implementing new security measures. For example, in 2017, the average per-record cost of a data breach for companies with a incident response plan in place was $19 less than those without a plan. This represents a savings of roughly 10 percent. Periodically practicing the incident response plan with a mock breach can further decrease the time to contain a breach and the associated costs. Other steps to reduce breach costs include obtaining cyber-liability insurance, involving and educating the board of directors, and utilizing security analytics.Proactively working with experienced outside counsel is another way to significantly reduce the cost of a data breach. An experienced cybersecurity team can assist by preparing an incident response plan, training key employees, improving security of data assets, participating in your breach response exercises, and interfacing with forensic experts on your behalf. If a breach does occur, experienced counsel can help to contain the breach, navigate state-by-state breach notification requirements, work with the authorities to identify and apprehend the attacker, and preserve privilege in communications with forensic experts and other consultants.A copy of the Ponemon Institute’s 2017 Cost of Data Breach Study, containing additional analytics and study results, can be downloaded at: Ponemon 2017 Data Breach Study.If you are interested in learning more about protecting your business from a data breach, the team of cybersecurity lawyers at Thompson & Knight is available to assist you.