For the last number of years, Ponemon Institute has published reports on data breaches. The latest report, "2018 Cost of a Data Breach Study: Global Overview" (the "Report"), is worth the read. It explores not just the cost in dollars and organization expended (direct and indirect costs), but also which elements can increase and decrease the costs.
One thing to keep in mind when assessing the results of the Report is how they have defined a data breach. For the study and the results, a data breach is limited to events where an individual's name and medical record, financial record or debit card is potentially put at risk. These breaches tend to be the most damaging. However, that's not always the case. We see a number of data breaches that are significant for an organization that contain information that would not fall into this scope. Therefore, the results reflected in the Report are more or less applicable to your organization based on the scope defined above.
According to the Report, Canada has the highest direct costs per compromised record. On average, Canadian businesses spend $81 per compromised record on direct costs such as forensic experts, lawyers and identity theft protection. Canada also has the second highest average per capita costs ($202) and is one of the most costly countries for resolving malicious or criminal attacks ($213 per compromised record).
According to the Report, having an incident response team in place prior to a breach can result in savings of as much as $14 per compromised record. Companies that use extensive encryption reduced their costs by as much as $13 per compromised record. Additionally, the faster a breach is identified, the lower the overall costs to the breach.
When a third party (such as a service provider) causes a breach or when the entity is involved in cloud migration at the time of the breach, the costs of the data breach increase by $13 per compromised record and $12 per compromised record, accordingly.
Typically, data breaches involve thousands, if not hundreds of thousands, of records. If you look at the costs per record in resolving a data breach and the factors that increase and decrease such costs, the aggregate costs are significant.
Most of the Report's findings accord with anecdotal evidence we see in helping clients respond to and manage data breaches, but it is good to have the empirical evidence for purposes of determining and supporting management decisions in allocating resources. Having an incident response team (we also refer to these as breach response teams or a "go team") and the use of encryption over the data significantly decreases the costs of a breach. Regular system audits and assessments for breaches can help catch the breaches sooner, which decreases the ultimate cost to the business in managing the breach.
The Report also underscores the need to ensure due diligence and ongoing audits are conducted on all third-party service providers that touch the organization's data. Third-party service providers can be an organization's weakest link when it comes to security. As mentioned earlier, when these third parties cause the data breach, the costs to your organization increase.
Your incident response team should include representatives from management, IT, legal, insurance, public relations/communications and human resources. A plan should be in place to help the team respond to internal and external stakeholders in a prepared and efficient manner.
As experienced data security professionals and breach response team members, we can assist your organization in preventing data breaches and help respond and mitigate damages when they occur.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.