Data Breach Costs Not Always Tied to Size of Breach

By: Arieanna Schweber | 11/18/2015

The average per-record cost of a data breach is $964.31, according to the fifth annual Cyber Claims Study by NetDiligence, which uses actual cyber liability insurance claims to understand the real costs of incidents, from an insurer’s perspective. The average claim for a large company was $4.8 million, though overall the average claim was $673,676 when weighted against the full spectrum of mostly-smaller organizations sampled. The insight shows, however, that high per-record costs are possible regardless of breach size.

From an insurer’s perspective, costs related to a data breach can include crisis services (forensics, notification, credit/ID monitoring, legal counsel), legal damages, regulatory action (defense and settlement) and PCI fines. In the study, 160 data breach claims from mostly smaller organizations between 2012 and 2015 were examined, many of which remain ‘open,’ and thus still accruing costs. The study estimates this sample represents approximately 5% of the total number of cyber claims handled by all markets within this time period.

Although the study only offers a glimpse into the costs associated with a data breach, there are some interesting findings:

  • Healthcare was the sector most frequently breached (21%), followed by Financial Services (17%).
  • The largest breaches occurred in the Retail sector, followed by Healthcare
  • The median number of records lost was 2,300. The average number of records lost was 3.2 million. This represents a sample where the number of records exposed in a data breach claim ranged from 1 to 110,000,000
  • The average cost for legal defense was $434,354
  • Each year more claims are being submitted for breaches with a relatively small number of records exposed

Of course, there are more costs associated with a data breach than those an insurer can capture. Hard costs to respond to a breach, the loss of revenue, and fines from multiple regulators and legal costs can be estimated, to an extent. But what of the loss of faith from customers affecting business growth (opportunity loss)? Or how the fear of a data breach can cause an organization to put in too much of the wrong security, to fear the use of data, or to respond to risks with knee-jerk reactions that lead to unaddressed risks. It can take months to years for organizations to overcome a data breach, and yet the risks of a repeat incident never really go away.

Absolute can help you identify potential security threats and respond rapidly before they become damaging security incidents. Absolute Data & Device Security (DDS) allows organisations to persistently track and secure all of their endpoints within a single cloud-based console. Computers and ultra-portable devices such as netbooks, tablets, and smartphones can be remotely managed and secured to ensure—and most importantly prove—that endpoint IT compliance processes are properly implemented and enforced. Learn more here.

Financial Services