Data Security Statistics

Regulation is complex and variable[1]:

A data breach is commonly defined as the unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information. Currently, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. However, current state legislation varies in terms of:

What constitutes a breach?

What is considered “personal information?”

What “triggers” mandatory notification?

What are the notification requirements?

Who must be notified of a breach?

When must the notification be sent? What is the timing?

Who must comply? Who is exempt?

The Cost of a Data Breach[2]:

How much can a data breach cost your organization?

  2013 2014
Average Organizational Cost of a Data Breach $5.4 million $5.9 million
Estimated Cost of a General Data Breach $191 per compromised record $201 per compromised record

*According to data gathered from breached organizations.

How the data was lost matters

  • Data breach incidents involving the loss or theft of data-bearing devices increased per record cost by as much as $18 per record.
  • Data loss resulting from a malicious or criminal attack yielded the highest cost at an average of $246 per compromised record, followed by system glitches and employee mistakes resulting in a average per record cost of $171 and $160, respectively.
  • The same data shows malicious or criminal attacks as the most frequently encountered root cause of data breaches by organizations.
    • Forty-four percent of respondents stated the main cause of data breach was a malicious or criminal attack against the organization.
    • Thirty-one percent of organizations say employee negligence (a.k.a. human factor) and 25 percent say system glitches were the main causes of the data loss.

Your customers matter

In 2014, the cost of lost business from a data breach increased from $3.03 million to $3.2 million.

  • These costs include:
    • Abnormal turnover of customers (a higher than average loss of customers for the industry or organization);
    • increased customer acquisition activities;
    • reputation losses and diminished goodwill.
  • Research reveals that abnormal churn or turnover of customers after data breaches may be a main driver in data breach cost. In fact, the average abnormal consumer churn rate between 2013 and 2014 increased 15 percent.

Your internal breach response team matters

  • 2014 research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $13 per compromised record.
  • Organizations with a strong security posture or a formal incident response plan in place prior to the incident can reduce the average cost of a breach as much as $21 and $17 per record, respectively.
  • Research shows that appointing a CISO to lead a data breach incident response team can reduce per record cost by $10.
  • Organizations that notified customers too quickly without a thorough assessment or forensic examination, incurred an average cost increase of $15 more per record.

Your partners matter

What else did Kroll see in 2014[3]?

  • 31% of Kroll’s data breach response cases in 2014 were not malicious, but due to simple yet costly mistakes.
    • The majority of these accidental breaches were made by internal Healthcare employees who exposed data in both electronic (66%) and paper form (29%)
  • 23% of Koll’s data breach response cases in 2014 involved unauthorized access to data,.
    • While “unauthorized access” is often associated with a Healthcare HIPPA privacy and security violation, in 2014, Kroll data revealed that our “general business” clients experienced their highest number of unauthorized access cases (27%) to date.
  • In 2014 18% of Kroll’s data breach response cases were due to hacking- surprisingly 30% in Healthcare, 20% in Education (not surprised) and 18% in Retail.
  • While almost half of our data breach response cases (48%) in 2014 involved electronic data, almost one quarter (24%) involved paper or non-electronic data.

[1] Source- National Conference of State Legislatures
[2] Source- Ponemon Institute, 2014 Annual Study: U.S. Cost of a Data Breach.
[3] Source- Kroll internal data