/en/services/cyber-risk/assessments-testing/cyber-risk-assessments/data-security-statistics service
Regulation is complex and variable1:

A data breach is commonly defined as the unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information. Currently, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information. However, current state legislation varies in terms of:

  • What constitutes a breach?
  • What is considered “personal information?”
  • What “triggers” mandatory notification?
  • What are the notification requirements?
  • Who must be notified of a breach?
     

The Cost of a Data Breach2

How much can a data breach cost your organization?

 

 2017

2018

Average Organizational Cost of a Data Breach

 $3.61 million

$3.86 million

+6.93%

Estimated Cost of a General Data Breach

 $141 million

$148 million

+4.96%

*According to data gathered from breached organizations.

How the data was lost matters

  • Data breach incidents involving the loss or theft of data-bearing devices increased per record cost by as much as $18 per record.
  • Data loss resulting from a malicious or criminal attack yielded the highest cost at an average of $246 per compromised record, followed by system glitches and employee mistakes resulting in a average per record cost of $171 and $160, respectively.
  • The same data shows malicious or criminal attacks as the most frequently encountered root cause of data breaches by organizations.
  • Forty-four percent of respondents stated the main cause of data breach was a malicious or criminal attack against the organization.
  • Thirty-one percent of organizations say employee negligence (a.k.a. human factor) and 25 percent say system glitches were the main causes of the data loss.

Your customers matter - In 2014, the cost of lost business from a data breach increased from $3.03 million to $3.2 million.

These costs include:

  • Abnormal turnover of customers (a higher than average loss of customers for the industry or organization);
  • increased customer acquisition activities;
  • reputation losses and diminished goodwill.

Research reveals that abnormal churn or turnover of customers after data breaches may be a main driver in data breach cost. In fact, the average abnormal consumer churn rate between 2013 and 2014 increased 15 percent.

Your internal breach response team matters

  • 2014 research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $13 per compromised record.
  • Organizations with a strong security posture or a formal incident response plan in place prior to the incident can reduce the average cost of a breach as much as $21 and $17 per record,respectively.
  • Research shows that appointing a CISO to lead a data breach incident response team can reduce per record cost by $10.
  • Organizations that notified customers too quickly without a thorough assessment or forensic examination, incurred an average cost increase of $15 more per record.

Your partners matter

  • Research shows that data breaches caused by your vendors or other third parties can increase per record cost by $25.

What else did Kroll see3?

  • 31% of Kroll’s data breach response cases in 2014 were not malicious, but due to simple yet costly mistakes.
  • The majority of these accidental breaches were made by internal employees who exposed data in both electronic (66%) and paper form (29%).
  • 23% of Koll’s data breach response cases in 2014 involved unauthorized access to data.
  • While “unauthorized access” is often associated with a Healthcare HIPPA privacy and security violation, in 2014, Kroll data revealed that our “general business” clients experienced their highest number of unauthorized access cases (27%) to date.
  • In 2014 18% of Kroll’s data breach response cases were due to hacking - 30% in Healthcare, 20% in Education, and 18% in Retail.
  • While almost half of our data breach response cases (48%) in 2014 involved electronic data, almost one quarter (24%) involved paper or non-electronic data.
     

Sources:
1 National Conference of State Legislatures
2 Ponemon Institute, 2018 Annual Study: U.S. Cost of a Data Breach.
3 Kroll internal data

Related Team

Connect with us

Jason N Smolanoff
Jason N. Smolanoff
President, Cyber Risk
Cyber Risk
Los Angeles
Phone
Gregory Michaels
Greg Michaels
Managing Director and Global Head of Proactive Services
Cyber Risk
Secaucus
Phone

See all servicesStay Ahead with Kroll

Valuation

Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.

The Monitor


Emotet Analysis: New LNKs in the Infection Chain – The Monitor, Issue 20

May 27, 2022

by Cole Manaster George Glass, Elio Biasiotto

The Monitor


Growing Threat of DDoS Attacks by Extortionist Threat Actors

Jul 14, 2021

by James McLearyNicole SetteKeith Wojcieszek Laurie Iacono

Settlement Administration


The Potential for a National Data Privacy Law

Nov 16, 2020