Data Breaches Cost $1,000 Per Record: Study
Every record compromised in a data breach ends up costing almost $1,000 — and that’s probably on the low end, according to a new study by Gladwyne, Penn.-based risk assessment company NetDiligence.
The study of 160 insurance claims related to data breaches that occurred between 2012 and 2015 found the average breach compromises 3.2 million records, and each record costs $964.31 on average for everything from notifications to legal fees. The report also said financial services was the second-most frequently breached sector (health care was the first).
The average insurance claim for a breach is $673,767, according to the study, and the vast majority of total claims (78%) was spent on crisis services such as forensics, ransoms, card replacement, public relations and credit monitoring.
The study also looked at the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization. Personally identifiable information was the leader in type of data exposed, occurring in 45% of the sample. Payment card information was second at 27%, followed by private health information at 14%, it said. About seven out of every 10 incidents occurred in organizations with less than $2 billion in revenue.
Breaches don’t always hit organizations directly – one in four are attributable to third parties such as vendors, according to the survey. It’s especially a problem in the financial services sector, where 30% of all third-party breaches occur, it said. The average number of lost records was about three times higher when third parties were involved, the study added.
Hackers and malware or viruses get most of the blame for breaches, but the NetDiligence study found they are actually the culprit less than half the time (45%); the rest are due to lost or stolen laptops or other devices, compromised paper records, system glitches, wrongful data collection and other reasons, according to the study. Notably, one third of all breaches had insider involvement.
“The financial services sector also has cause to be concerned about insider threats,” the report said. “While only 17% of the claims in our dataset occurred in financial services, that sector accounted for 22% of insider incidents.”
Breaches in the sector cost an average of $141,249 per incident and exposed about 35,000 records on average.
NetDiligence also noted many of the 160 claims in its study are still open, meaning the reported costs only reflect payouts to date. Additional payouts on the claims are virtually certain, it said.
The data does suggest, however, that many organizations file claims for relatively small breaches. For example, the average cost for legal defense was $434,354 in the study, but a few large claims could be driving that, because the median – the point at which half the sample is above the number and half is below the number – was $73,600. Similarly, the average legal settlement was $880,839 but the median was just $50,000, the study found. Just 4% of the 160 claims included costs for PCI fines, which ranged from $21,229 to $600,000.
NetDiligence said its sample probably represents only about 5% of all cyber claims from 2012 to 2015. Nevertheless, it thinks breach costs are likely much higher for uninsured organizations.
“Insurers are putting in place ‘preferred vendor panels’ with pre-negotiated rates for crisis services costs, which we believe significantly reduces the cost of breach response for policyholders of those insurance carriers,” it said. “We estimate data breach response costs for an uninsured organization could be up to 30% higher than costs for an insured organization.”