Data Breach and Loss Statistics

Regulation is complex and variable¹:

A data breach is commonly defined as the unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information. Currently, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. However, current state legislation varies in terms of:

• What constitutes a breach?
• What is considered “personal information?”
• What “triggers” mandatory notification?
• What are the notification requirements?
• Who must be notified of a breach?
  
   

The Cost of a Data Breach²

How much can a data breach cost your organization?

*According to data gathered from breached organizations.

How the data was lost matters

• Data breach incidents involving the loss or theft of data-bearing devices increased per record cost by as much as $18 per record.
• Data loss resulting from a malicious or criminal attack yielded the highest cost at an average of $246 per compromised record, followed by system glitches and employee mistakes resulting in a average per record cost of $171 and $160, respectively.
• The same data shows malicious or criminal attacks as the most frequently encountered root cause of data breaches by organizations.
• Forty-four percent of respondents stated the main cause of data breach was a malicious or criminal attack against the organization.
• Thirty-one percent of organizations say employee negligence (a.k.a. human factor) and 25 percent say system glitches were the main causes of the data loss.

Your customers matter - In 2014, the cost of lost business from a data breach increased from $3.03 million to $3.2 million.

These costs include:

• Abnormal turnover of customers (a higher than average loss of customers for the industry or organization);
• increased customer acquisition activities;
• reputation losses and diminished goodwill.

Research reveals that abnormal churn or turnover of customers after data breaches may be a main driver in data breach cost. In fact, the average abnormal consumer churn rate between 2013 and 2014 increased 15 percent.

Your internal breach response team matters

• 2014 research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $13 per compromised record.
• Organizations with a strong security posture or a formal incident response plan in place prior to the incident can reduce the average cost of a breach as much as $21 and $17 per record,respectively.
• Research shows that appointing a CISO to lead a data breach incident response team can reduce per record cost by $10.
• Organizations that notified customers too quickly without a thorough assessment or forensic examination, incurred an average cost increase of $15 more per record.

Your partners matter

• Research shows that data breaches caused by your vendors or other third parties can increase per record cost by $25.

What else did Kroll see³?

• 31% of Kroll’s data breach response cases in 2014 were not malicious, but due to simple yet costly mistakes.
• The majority of these accidental breaches were made by internal employees who exposed data in both electronic (66%) and paper form (29%).
• 23% of Koll’s data breach response cases in 2014 involved unauthorized access to data.
• While “unauthorized access” is often associated with a Healthcare HIPPA privacy and security violation, in 2014, Kroll data revealed that our “general business” clients experienced their highest number of unauthorized access cases (27%) to date.
• In 2014 18% of Kroll’s data breach response cases were due to hacking - 30% in Healthcare, 20% in Education, and 18% in Retail.
• While almost half of our data breach response cases (48%) in 2014 involved electronic data, almost one quarter (24%) involved paper or non-electronic data.
  
   

Sources:
¹ National Conference of State Legislatures
² Ponemon Institute, 2018 Annual Study: U.S. Cost of a Data Breach.
³ Kroll internal data