Annual Report on the cost of data breaches from the Ponemon Institute

One of the major concerns for any organisation processing personal data is the handling of data breaches. The legislation defines these as breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Given the breadth of the definition and the difficulty of protecting against human and technical errors, organisations must prepare for the reality of data breaches.

The Ponemon Institute, sponsored by IBM, released their annual report on the cost of data breaches which they have been undertaking for over 10 years. The report was created through qualitative interviews of 447 organisations in diverse sectors carried out in 15 countries including the UK but not Ireland. 

The comparison metric they used was the cost per record in a data breach. While the exact figure itself is not all that important given the diversity of the participants in terms of size and sector, what is valuable is the evidence of the factors shown to influence that figure either positively or negatively.  

The key findings:

The inclusion of factors influencing the cost per record was quite comprehensive. The interviewees were asked to provide details of resources spent on activities for the discovery of and the immediate response to the data breach (e.g. forensics and investigations), and those conducted in the aftermath of discovery (e.g. notification of victims and legal fees). In general, the key learning points on the source and costs of breaches within the report this year are:

1. The overall 5-year average cost of a data breach is continuing to increase gradually.  The cost varies greatly by county with the US being the most expensive ($7.91 per record) with the UK just under half that ($3.58).
2. The main source of breaches stem from malicious or criminal actions (48%) but human error is significant (27%) as is what they term system glitches (25%).
3. A major cost of a data breach is the loss of customer trust and thus of future business (referred to as customer churn). 
4. Undergoing a major migration to the Cloud increases costs should a breach occur during this period. The reliance on a third party responsible for such a breach also adds to the cost given the increase in complexity of handling such breaches.
5. For the first time, the report looked at the Internet of Things (IoT) and found organisations utilising this relatively new roll-out of connectivity to often everyday items carry a higher risk with IoT still having some way to go in addressing security.

Protecting your organisation and your data subjects:

However, it is not all bad news as the report has also identified actions that make a real difference to the costs of a data breach which can be readily addressed. The top four items that were shown to lower the cost of a data breach included:

1. Having an Incident Response Team in place to actively manage any breach in a timely manner. The earlier a breach is identified and addressed, the lower the cost.
2. Using extensive levels of encryption to help minimise the risk should any data be stolen or lost. 
3. Having Business Continuity Management in place such as a properly tested Business Continuity / Disaster Recovery Plan which links into data breach management procedures.
4. Training staff in data protection and breach reporting/handling. 

Many organisations will have elements of these in place but the value stems from having and integrated approach where there is continual learning from each incident such that the response becomes faster and more effective with each the cause of each incident addressed.

New tools:

For the first time, the report also looked at the value of rolling out automated security technologies. While this may currently be beyond the budget of smaller organisations it is becoming more common. The technology, which uses artificial intelligence and analytics, aims to augment or replace human intervention in the identification and handling of potential breaches. The report shows that only 15% of the 447 organisations had the technology fully deployed and another 34% had these partially deployed. 

The difference in cost of a data breach (per record) shows a considerable saving for those able to benefit from the technology.

• $2.88 when fully deployed
• $3.39 when technology partially deployed
• $4.43 when not deployed

Based on available budgets, the scale and categories of data being processed, such tools may offer an organisation a valuable addition to their defensive capabilities. 

Core message:

Breaches happen and they cost resources which need to be budgeted for. However, focusing on the response mechanisms and improving training can be a very effective means of minimising costs. This is especially so when combined with preventative technologies such as encryption and AI tools, budget permitting.

For more information please refer to our service pages or contact our Data Governance team