The financial fallout from a data breach now costs companies an average of $3.86 million, up more than six percent from last year, according to a new study.
For the 2018 Cost of Data Breach Study, sponsored by IBM Security and conducted by the Ponemon Institute, researchers interviewed more than 2,200 IT, data protection, and compliance professionals from 477 companies in 15 countries or regional samples that have experienced a data breach over the past 12 years.
The study found the average cost for each lost record increased 4.8 percent from $141 to $148. Healthcareorganizations are hit particularly hard, costing an average of $408 per lost or stolen record, reports NBC News.
Overall, the average size of the data breaches in the study increased by 2.2 percent.
Fines and fees associated with data breaches include investigations, regulatory filings, lost business, negative impact on reputation and employee time spent on recovery, according to the report.
For the first time this year, the study also looked at the costs of mega breaches, which is a data breach involving more than one million compromised records.
Overall, the study analyzed 11 of the 16 mega breaches and found:
- Mega breaches increased from nine in 2013 to 16 last year
- The average cost of a mega breach was almost $40 million
- The average cost of a breach totaling 50 million records was $350 million
- The average time to detect and contain a mega breach was 365 days, compared to 99 days for a smaller breach
U.S Companies Hit Hardest with Data Breach Costs
Globally, U.S. companies experience the highest average cost per data breach at $7.9 million, followed by Middle Eastern firms at $5.3 million.
When asked by NBC News why American companies take the biggest financial hit, Ponemon said consumers “often vote with their feet” and stop doing business with a company that has suffered a breach.
“A lot of people do care about the privacy of their information and they want organizations to be more proactive in managing that information, so this loss of trust does translate into a much higher cost,” said a representative from the Institute.
The churn rate is particularly steep in highly regulated industries where customers have great expectations for the protection of their data. Healthcare organizations have the highest churn rate within the study at 6.7 percent.
Furthermore, the U.S. has a disjointed regulatory approach to breach notification.
“There are 49 different disclosure laws in the U.S. right now and they’re all different,” said Caleb Barlow, vice president of threat intelligence at IBM Security. “What you do in Arkansas is going to be completely different from what you do in Massachusetts and that can ratchet up the cost quite significantly.”
The time to contain a data breach also greatly affects the cost, found the study. Companies that were able to contain a breach in less than 30 days spent an average of $3.1 million on total costs compared to $4.3 million for those that took more than 30 days.
The key cost saver is having an incident response team ready to act, according to the report. Automated security tools that use artificial intelligence can also cut costs by more than $1.5 million.