skip to main content
Back to all blog posts

Posted in: Data Security/Privacy

Aug 10, 2016

Has your Company Suffered a Data Breach? Expect to Lose $6.03 Million on Average

By Aaron Baer

There are 6.03 million reasons for organizations to protect their databases from cyber-attacks. The 2016 Cost of Data Breach Study (the "Study"), produced by IBM and the Ponemon Institute, serves as a sharp reminder for organizations to continue to bolster their data security initiatives. According to the Study, the average cost of a data breach is up 12.5% over the past year, from $5.32 million to $6.03 million. Adding to the concern, there is a 26% chance of a material data breach involving at least 10,000 lost or stolen records occurring within the next 2 years.

The Study examined the costs sustained by 24 Canadian companies from 11 different sectors over a 12-month period. Organizations that suffered a catastrophic number of breached records (more than 100,000 lost or stolen records) were omitted from the Study in an effort to provide representative results. This means, for example, that the massive data breach suffered by Ashley Madison was not accounted for in this study.

Some key findings:

  • The average number of breached records among the participating companies was 21,200, at an average cost of $278 per lost or stolen record.
  • Malicious and criminal activity is the leading cause of data breaches - accounting for 54% of all breaches. Such activity takes the most time to detect and contain: an average of 239 days, a sharp contrast to the 170 days for breaches caused by human error. Unsurprisingly, the Study confirmed that the longer it takes an organization to identify and contain a breach, the more costly the breach becomes.
  • Data breaches caused by extensive migration to the cloud, third party errors, or lost or stolen devices lead to well above average costs of $300.05 per lost or stolen record. These costs include both indirect expenses - which include the amount of time, effort and other organizational resources spent on resolving the breach - and direct expenses.
  • One of the most significant financial impacts for organizations that have suffered a data breach is the loss of business suffered by breached organizations. This category includes abnormal customer turnover, increased customer acquisition activities, reputation losses, and diminished goodwill. Loss of business alone makes up more than 37% of the total cost incurred as a result of a breach. On average, a data breach costs an organization $2.24 million in lost business.

However, not all is doom and gloom. The Study identified certain factors that reduced the cost of a data breach. Organizations that had incident response teams and plans, employee training programs, board-level involvement and participation in threat sharing, and used extensive encryption decreased costs by as much as $25 per lost or stolen record, reducing the average cost per lost or stolen record to $253. While organizations have always been well aware of the qualitative reasons to prevent data breaches, the Study helps quantify the importance for organizations to invest in preemptive measures that reduce vulnerability and mitigate costs if breaches occur.

Related Categories

Related Blogs

Posted in: Data Security/Privacy

Insights TheSpotlight
Phishing Risk Deemed Sufficient in Alberta to Trigger “Real Risk Of Significant Harm” Threshold By Steve J. Tenai Mar 13, 2018 Since 2010, Alberta’s Personal Information Protection Act (“PIPA”) requires private sector organizations to notify the Office of the Information and Privacy Commissioner (“OIPC”) of a breach of personal information where a “reasonable person would con...

Posted in: Data Security/Privacy

Insights TheSpotlight
Cybersecurity Disclosure Guidance for Public Companies By Steve J. Tenai Mar 01, 2018 On February 21, 2018, the United States Securities and Exchange Commission issued interpretive guidance on cybersecurity disclosure obligations for public companies subject to U.S. securities laws. The Guidance underscores that public companies should inform investors about material cybersecurity...

Posted in: Data Security/Privacy

Insights TheSpotlight
Embracing Artificial Intelligence at Your Law Firm 3 Keys to Successfully Introducing AI By Aaron Baer Jan 05, 2018 Advances in technology are transforming entire industries: Airbnb and Uber have wreaked havoc on the hotel and taxi industries; Netflix and online-streaming have turned the media industry on its head; self-driving cars are set to revolutionize the automotive industry.