Monthly Archives: August 2017

Cost of a data breach, 2017 — $225 per record lost, an all-time high

Larry Ponemon

IBM Security and Ponemon Institute are pleased to present the 2017 Cost of Data Breach Study: United States, our 12th annual benchmark study on the cost of data breach incidents for companies located in the United States. The average cost for each lost or stolen record containing sensitive and confidential information increased from $221 to $225. The average total cost experienced by organizations over the past year increased from $7.01 million to $7.35 million. To date, 572 U.S. organizations have participated in the benchmarking process since the inception of this research.

Ponemon Institute conducted its first Cost of Data Breach Study in the United States 12 years ago. Since then, we have expanded the study to include the following countries and regions:

  • The United Kingdom
  • Germany
  • Australia
  • France
  • Brazil
  • Japan
  • Italy
  • India
  • Canada
  • South Africa
  • The Middle East (including the United Arab Emirates and Saudi Arabia)
  • ASEAN region (including Singapore, Indonesia, the Philippines and Malaysia

The 2017 study examines the costs incurred by 63 U.S. companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data and the notification of breach victims as required by various laws. It is important to note that costs presented in this research are not hypothetical but are from actual data-loss incidents. They are based upon cost estimates provided by individuals we interviewed over a 10-month period in the companies that are represented in this research.

The number of breached records per incident this year ranged from 5,563 to 99,500 records. The average number of breached records was 28,512. We did not recruit organizations that have data breaches involving more than 100,000 compromised records. These incidents are not indicative of data breaches most organizations incur. Thus, including them in the study would have artificially skewed the results.

Why the cost of data breach fluctuates across countries

What explains the significant increases in the cost of data breach this year for organizations in the Middle East, the United States and Japan? In contrast, how did organizations in Germany, France, Australia, and the United Kingdom succeed in reducing the costs to respond to and remediate the data breach? Understanding how the cost of data breach is calculated will explain the differences among the countries in this research.

For the 2017 Cost of Data Breach Study: Global Overview, we recruited 419 organizations in 11 countries and two regions to participate in this year’s study. More than 1,900 individuals who are knowledgeable about the data breach incident in these 419 organizations were interviewed. The first data points we collected from these organizations were: (1) how many customer records were lost in the breach (i.e. the size of the breach) and (2) what percentage of their customer base did they lose following the data breach (i.e. customer churn). This information explains why the costs increase or decrease from the past year.

In the course of our interviews, we also asked questions to determine what the organization spent on activities for the discovery of and the immediate response to the data breach, such as forensics and investigations, and those conducted in the aftermath of discovery, such as the notification of victims and legal fees. A list of these activities is shown in Part 3 of this report. Other issues covered that may have an influence on the cost are the root causes of the data breach (i.e. malicious or criminal attack, insider negligence or system glitch) and the time to detect and contain the incident.

It is important to note that only events directly relevant to the data breach experience of the 419 organizations represented in this research and discussed above are used to calculate the cost. For example, new regulations, such as the General Data Protection Regulation (GDPR), ransomware and cyber attacks, such as Shamoon, may encourage organizations to increase investments in their governance practices and security-enabling technologies but do not directly affect the cost of a data breach as presented in this research.

The following are the most salient findings and implications for organizations:

The cost of data breach sets a record high. According to this year’s benchmark findings, data breaches cost companies an average of $225 per compromised record – of which $146 pertains to indirect costs, including abnormal turnover or churn of customers and $79 represents the direct costs incurred to resolve the data breach, such as investments in technologies or legal fees.

The total average organizational cost of data breach reaches a new high. This year, we record the highest average total cost of data breach at $7.35 million. Prior to this year’s research, the most costly breach occurred in 2011 when companies spent an average of $7.24 million. In 2013, companies experienced the lowest total data breach cost at $5.40 million.

Measures reveal why the cost of data breach increases. The average total cost of data breach increased 4.7 percent, the average per capita cost increased by 1.8 percent and abnormal churn of existing customers increased 5 percent. In the context of this paper, abnormal churn is defined as a greater-than-expected loss of customers in the normal course of business. In contrast, the average size of a data breach (number of records lost or stolen) decreased 1.9 percent.

Certain industries have higher data breach costs. Heavily regulated industries such as health care ($380 per capita) and financial services ($336 per capita), had per capita data breach costs well above the overall mean of $225. In contrast, public sector organizations ($110 per capita) had a per capita cost of data breach below the overall mean.

Malicious or criminal attacks continue to be the primary cause of data breach. Fifty-two percent of incidents involved a malicious or criminal attack, 24 percent of incidents were caused by negligent employees, and another 24 percent were caused by system glitches, including both IT and business process failures.

Malicious attacks are the costliest. Organizations that had a data breach due to malicious or criminal attacks had a per capita data breach cost of $244, which is significantly above the mean. In contrast, system glitches or human error as the root cause had per capita costs below the mean ($209 and $200 per capita, respectively).

Four new factors are in this year’s cost analysis.  The following factors that influence data breach costs have been added to this year’s study. They are as follows: (1) compliance failures, (2) the extensive use of mobile platforms, (3) CPO appointment and (4) the use of security analytics. The use of security analytics reduced the per capita cost of data breach by $7.7 and the appointment of a CPO reduced the cost by $4.3. However, extensive use of mobile platforms at the time of the breach increased the cost by $6.5 and compliance failures increased the per capita cost by $19.3.

The more records lost, the higher the cost of data breach. This year, for companies with data breaches involving less than 10,000 records, the average total cost of data breach was $4.5 million and companies with the loss or theft of more than 50,000 records had a cost of data breach of $10.3 million.

The more churn, the higher the cost of data breach. Companies that experienced less than 1 percent churn or the loss of existing customers, had an average total cost of data breach of $5.3 million and those that experienced churn greater than 4 percent had an average total cost of data breach of $10.1 million.

Certain industries are more vulnerable to churn. Financial, life science, health, technology and service organizations experience a relatively high abnormal churn rate and public sector and entertainment organizations experienced a relatively low abnormal churn rate.

Detection and escalation costs are at a record high. These costs include forensic and investigative activities, assessment and audit services, crisis team management, and communications to executive management and board of directors. Average detection and escalation costs increased dramatically from $0.73 million to $1.07 million, suggesting that companies are investing more heavily in these activities.

Notification costs increase slightly. Such costs typically include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, secondary mail contacts or email bounce-backs and inbound communication set-up. This year’s average notification costs increased slightly from $0.59 million in 2016 to $0.69 million in this year’s study.

Post data breach costs decrease. Such costs typically include help desk activities, inbound communications, special investigative activities, remediation activities, legal expenditures, product discounts, identity protection services and regulatory interventions. These costs decreased from $1.72 million in 2016 to $1.56 million in this year’s study.

Lost business costs increase. Such costs include the abnormal turnover of customers, customer acquisition activities, reputation losses and diminished goodwill. The current year’s cost increased from $3.32 million in 2016 to $4.03 million. The highest lost business cost over the past 12 years was $4.59 million in 2009.

Companies continue to spend more on indirect per capita costs than direct per capita costs. Indirect costs include the time employees spend on data breach notification efforts or investigations of the incident. Direct costs refer to what companies spend to minimize the consequences of a data breach and assist victims. These costs include engaging forensic experts to help investigate the data breach, hiring a law firm and offering victims identity protection services. This year, the indirect costs were $146 and direct costs were $79.

The time to identify and contain data breaches impact costs. In this year’s study, it took companies an average of 206 days to detect that an incident occurred and an average of 55 days to contain the incident. If the mean time to identify (MTTI) was less than 100 days, the average cost to identify was $5.99 million. However, if the mean time to identify was greater than 100 days the cost rose significantly to $8.70 million. If the mean time to contain (MTTC) the breach was less than 30 days, the average cost to contain was $5.87 million. If it took 30 days or longer, the cost rose significantly to $8.83 million.

To read the full report, click here. 

Disney, Viacom child privacy lawsuits try novel legal theory

Bob Sullivan

A California mom is suing Disney and some of its software partners for allegedly collecting personal information about her kids through mobile phone game apps. I was on the TODAY show this week talking about it.

Within days, the same mom also sued Viacom.

There’s a novel legal argument in these cases that I’m going to watch with great interest; an “intrusion upon seclusion” claim that I hadn’t seen before.  If the mom — and potentially others, if class-action status is granted — succeed at winning such a claim and collecting damages, it could open doors to a new kind of privacy lawsuit.

The Disney allegations, which the firm denies, are what you’d expect.  The suit claims Disney software places unique identifiers on mobile phones which can track app users — both in and out of game play — so Disney’s partners can serve targeted advertising.  You can expect the usual debate about what constitutes personal information.  Corporations that want to target ads usually claim they anonymize such data. Privacy advocate say that’s bunk. With just a few data points, people can be pretty precisely identified.

Federal law — the Child Online Privacy Protection Act, or COPPA — has strict rules about what can be collected from kids under 13.  The Federal Trade Commission has weighed in on the issue, making clear that unique identifiers fall under COPPA, meaning they generally shouldn’t be used or collected when kids are involved.

The lawsuit claims Disney and its partners violated COPPA, but that doesn’t really  get her far. COPPA does not provide a “private right of action.”  Consumers can’t sue “under COPPA” and get anything; they can merely ask a federal agency (the FTC) to fine the violator.

So lawyers in the case have seized upon the “intrusion upon seclusion” tort.  From what I can tell, this legal strategy is generally used when someone’s physical space is violated — as in sneaking into a home or hotel room.  It has been used in previous digital privacy cases, however, said Douglas I. Cuthbertson, a lawyer at the firm pressing the case. He cited invasion of privacy cases involving Vizio (Smart TVs) and Nickelodeon (Tracking videos watched; click for more). Both recently survived dismissal motions. It remains to be seen how much the cases are worth to plaintiffs, however.

According to Harvard’s publication of the American Law Institute’s guide to torts, here’s what ‘Inrusion Upon Seclusion” requires:

“The invasion may be by physical intrusion into a place in which the plaintiff has secluded himself, as when the defendant forces his way into the plaintiff’s room in a hotel or insists over the plaintiff’s objection in entering his home. It may also be by the use of the defendant’s senses, with or without mechanical aids, to oversee or overhear the plaintiff’s private affairs, as by looking into his upstairs windows with binoculars or tapping his telephone wires. It may be by some other form of investigation or examination into his private concerns, as by opening his private and personal mail, searching his safe or his wallet, examining his private bank account, or compelling him by a forged court order to permit an inspection of his personal documents.”

The four-pronged test to succeed in such a case, according to the Digital Media Law Project,  involves:

  • First, that the defendant, without authorization, must have intentionally invaded the private affairs of the plaintiff;
  • Second, the invasion must be offensive to a reasonable person;
  • Third, the matter that the defendant intruded upon must involve a private matter; and
  • Finally, the intrusion must have caused mental anguish or suffering to the plaintiff.

In the Disney lawsuit, plaintiff’s lawyers use the alleged COPPA violation to establish that the data collection is offensive, and to pass several of those tests.

Eduard Goodman, global privacy officer at security firm Cyberscout, says he’s seen the intrusion upon seclusion legal strategy deployed in data breach lawsuits before.  But that fourth prong of the test is the trickiest to meet. (Note: I am sometimes paid to write freelance stories for Cyberscout)

“The problem, as with most all privacy torts in the U.S., what is the harm and damage here,” he said. Damages and financial compensation for torts like causing injury in a car accident are well established. What’s the harm in collecting someone’s personal data?  That’s yet to be determined.