skip to main content
Back to all blog posts

Posted in: Data Security/Privacy

Aug 10, 2016

Has your Company Suffered a Data Breach? Expect to Lose $6.03 Million on Average

By Aaron Baer

There are 6.03 million reasons for organizations to protect their databases from cyber-attacks. The 2016 Cost of Data Breach Study (the "Study"), produced by IBM and the Ponemon Institute, serves as a sharp reminder for organizations to continue to bolster their data security initiatives. According to the Study, the average cost of a data breach is up 12.5% over the past year, from $5.32 million to $6.03 million. Adding to the concern, there is a 26% chance of a material data breach involving at least 10,000 lost or stolen records occurring within the next 2 years.

The Study examined the costs sustained by 24 Canadian companies from 11 different sectors over a 12-month period. Organizations that suffered a catastrophic number of breached records (more than 100,000 lost or stolen records) were omitted from the Study in an effort to provide representative results. This means, for example, that the massive data breach suffered by Ashley Madison was not accounted for in this study.

Some key findings:

  • The average number of breached records among the participating companies was 21,200, at an average cost of $278 per lost or stolen record.
  • Malicious and criminal activity is the leading cause of data breaches - accounting for 54% of all breaches. Such activity takes the most time to detect and contain: an average of 239 days, a sharp contrast to the 170 days for breaches caused by human error. Unsurprisingly, the Study confirmed that the longer it takes an organization to identify and contain a breach, the more costly the breach becomes.
  • Data breaches caused by extensive migration to the cloud, third party errors, or lost or stolen devices lead to well above average costs of $300.05 per lost or stolen record. These costs include both indirect expenses - which include the amount of time, effort and other organizational resources spent on resolving the breach - and direct expenses.
  • One of the most significant financial impacts for organizations that have suffered a data breach is the loss of business suffered by breached organizations. This category includes abnormal customer turnover, increased customer acquisition activities, reputation losses, and diminished goodwill. Loss of business alone makes up more than 37% of the total cost incurred as a result of a breach. On average, a data breach costs an organization $2.24 million in lost business.

However, not all is doom and gloom. The Study identified certain factors that reduced the cost of a data breach. Organizations that had incident response teams and plans, employee training programs, board-level involvement and participation in threat sharing, and used extensive encryption decreased costs by as much as $25 per lost or stolen record, reducing the average cost per lost or stolen record to $253. While organizations have always been well aware of the qualitative reasons to prevent data breaches, the Study helps quantify the importance for organizations to invest in preemptive measures that reduce vulnerability and mitigate costs if breaches occur.

Related Categories

Related Blogs

Posted in: Privacy | Data Security/Privacy

Insights TheSpotlight
Equifax Breach - The Breach That Will Keep on Giving By Paige Backman and Meghan A. Cowan Sep 14, 2017 At this point, if you haven’t heard of the Equifax data breach, it could only be because you have rightfully been glued to the coverage of (or living through) Hurricane Irma, Harvey or Jose. On September 7, 2017, Equifax revealed that it was the subject of a cybersecurity breach over the s...

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
Ontario Court of Appeal Established New Privacy Rights – Utility Consumption Data and Grow Ops By Paige Backman Aug 21, 2017 If you are a utility monitoring consumption data, think twice before providing any of that information to the police. You may need to ensure the police first provide you with a warrant or other judicial authorization specifically requesting the information. The Ontario Court of Appeal, distinguis...

Posted in: Data Security/Privacy | CASL | GDPR | Data Protection

Insights TheSpotlight
With All Eyes Turned to CASL, is Anyone Paying Attention to GDPR? With Less Than 1 Year Before GDPR Takes Effect, Make Sure Your Organization is Ready By Paige Backman and Aaron Baer Jul 21, 2017 In early June, the Government of Canada came to its senses by suspending the provision of Canada’s Anti-Spam Legislation (“CASL”) that would have enabled a private right of action to be brought as of July 1, 2017. While this decision provided temporary relief to businesses who f...