CAUTION: We have been advised that fraudulent emails with a modified domain name have been sent by a source purporting to be from Aird & Berlis LLP. These communications are not legitimate and are not from Aird & Berlis LLP. Disregard any such emails and do not engage with the sender or the email in any way. Please report the attempted fraud by contacting the Canadian Anti-Fraud Centre and by emailing Aird & Berlis LLP at

Back to all blog posts

Posted in: Data Security/Privacy | Data Protection

Feb 11, 2019

Data Breaches – What Will Cost You and What Will Save You Money

By Paige Backman

For the last number of years, Ponemon Institute has published reports on data breaches. The latest report, “2018 Cost of a Data Breach Study: Global Overview” (the “Report”), is worth the read. It explores not just the cost in dollars and organization expended (direct and indirect costs), but also which elements can increase and decrease the costs.

One thing to keep in mind when assessing the results of the Report is how they have defined a data breach. For the study and the results, a data breach is limited to events where an individual’s name and medical record, financial record or debit card is potentially put at risk. These breaches tend to be the most damaging. However, that’s not always the case. We see a number of data breaches that are significant for an organization that contain information that would not fall into this scope. Therefore, the results reflected in the Report are more or less applicable to your organization based on the scope defined above.

According to the Report, Canada has the highest direct costs per compromised record. On average, Canadian businesses spend $81 per compromised record on direct costs such as forensic experts, lawyers and identity theft protection. Canada also has the second highest average per capita costs ($202) and is one of the most costly countries for resolving malicious or criminal attacks ($213 per compromised record).

According to the Report, having an incident response team in place prior to a breach can result in savings of as much as $14 per compromised record. Companies that use extensive encryption reduced their costs by as much as $13 per compromised record. Additionally, the faster a breach is identified, the lower the overall costs to the breach.

When a third party (such as a service provider) causes a breach or when the entity is involved in cloud migration at the time of the breach, the costs of the data breach increase by $13 per compromised record and $12 per compromised record, accordingly.

Typically, data breaches involve thousands, if not hundreds of thousands, of records. If you look at the costs per record in resolving a data breach and the factors that increase and decrease such costs, the aggregate costs are significant.

Most of the Report’s findings accord with anecdotal evidence we see in helping clients respond to and manage data breaches, but it is good to have the empirical evidence for purposes of determining and supporting management decisions in allocating resources. Having an incident response team (we also refer to these as breach response teams or a “go team”) and the use of encryption over the data significantly decreases the costs of a breach. Regular system audits and assessments for breaches can help catch the breaches sooner, which decreases the ultimate cost to the business in managing the breach.

The Report also underscores the need to ensure due diligence and ongoing audits are conducted on all third-party service providers that touch the organization’s data. Third-party service providers can be an organization’s weakest link when it comes to security. As mentioned earlier, when these third parties cause the data breach, the costs to your organization increase.

Your incident response team should include representatives from management, IT, legal, insurance, public relations/communications and human resources. A plan should be in place to help the team respond to internal and external stakeholders in a prepared and efficient manner.

As experienced data security professionals and breach response team members, we can assist your organization in preventing data breaches and help respond and mitigate damages when they occur.

Areas of Expertise

Related Blogs

Posted in: Data Security/Privacy | Data Protection

Insights TheSpotlight
Notifying Consumers of Data Breaches: New Regulations Apr 24, 2018 The federal government has introduced new regulations setting out what information must be disclosed to consumers and to the Privacy Commissioner after a data breach. These regulations will take effect on November 1, 2018.

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
New Notification Requirements for Data Breaches Apr 13, 2018 As of November 1, 2018, if your organization suffers a data breach, new reporting requirements will be in place that may require you to notify consumers and the Privacy Commissioner of the breach – or else face a fine of up to $100,000.

Posted in: Privacy | Data Security/Privacy

Insights TheSpotlight
Equifax Breach - The Breach That Will Keep on Giving By Paige Backman and Meghan A. Cowan Sep 14, 2017 At this point, if you haven’t heard of the Equifax data breach, it could only be because you have rightfully been glued to the coverage of (or living through) Hurricane Irma, Harvey or Jose. On September 7, 2017, Equifax revealed that it was the subject of a cybersecurity breach over the s...
Insights TheSpotlight
Mobile Data Breaches – Is Your Organization Truly Prepared? Jun 06, 2017 Mobile devices have become an integral component of IT infrastructure for virtually all businesses. However, a recent report by Dimensional Research (the “Report”) shows that most security professionals feel unprepared to defend against a mobile data breach. The Report is based on the...