By Lynn Wangerin
Data breaches are not only becoming more prevalent among companies located in the U.S., recovering from them is also becoming more expensive.
According to the 11th annual benchmark study conducted by the Ponemon Institute, the average total cost to resolve a data breach increased by 7 percent since the previous study conducted in 2013, to a staggering $7.01 million. The average cost for each lost or stolen record containing sensitive information increased by 2 percent, from $217 to $221 per record.
The 2016 study, released in June, examined costs incurred by 64 U.S. companies in 16 industry sectors. Data breaches involving more than 100,000 compromised records were not included in the results as the institute found that the types of breaches incurred by most organizations averaged 29,611 compromised records.
The report provides information regarding trends gleaned from research as well as findings on factors that generate higher costs and those factors that reduce the costs of data breaches. Over the years, results from the Ponemon studies have revealed these trends:
The three factors were found to increase data breach costs the most:
3rd party errors
Extensive migration to the cloud
Rush to notify
3rd party involvement resulted in the highest increase with a $20.30 increase in cost per record lost or stolen, with cloud migration coming in Second with an increase of $15.40.
The lesson to learn is to carefully choose 3rd party vendors and make sure that all vendor agreements require the vendor to maintain standards to mitigate risk, and requires the vendor to take responsibility in the event of a breach (or at the least provides for an equitable sharing of the risk and costs if a breach occurs). Many vendor agreements include provisions limiting the vendor’s liability, which if not modified to except out a data breach can leave the customer with all of the costs of the breach. Requiring vendors to carry appropriate insurance and, in certain circumstances, name the customer as an additional insured may help mitigate the risk.
The risks and costs of data breaches are not likely to lessen, so planning and taking steps to mitigate and deal with a data breach will need to be part of the strategy of most, if not all, businesses.