An important resource for those who study the impact of data breaches is updated for 2018. The 2018 Cost of Data Breach Study: A Global Overview was released by Ponemon Institute, LLC.
The Ponemon Study covers numerous countries and includes a continuing focus on Canada. Some Canadian statistics show the financial impact of data breaches.
Globally, Canada has the highest direct costs from a breach at $81 USD per record including such items as engaging forensic experts, specialist law firm assistance, purchase of identity protection services and the like. Also Canada had the second highest indirect costs at $116 USD per record. Indirect costs include employees’ cost and effort to notify victims and investigate the breach as well as the loss of goodwill and customer churn.
The study indicated that for Canada half (50%) of breaches are caused by malicious or criminal activity, with 25% caused by system glitches and 25% caused by human error. The cost of such breaches vary by source of the breach as follows – $170 per record for breaches due to malicious or criminal activity, $130 per record for breaches due to system glitches and $125 per record for breaches due to human error.
Globally, the average cost of a breach was $3.86 million USD, up by 6.4% from the prior year, or a cost of $148 USD per record.
A particularly interesting analysis looks at the factors that save costs in a data breach and those factors that increase the costs in a data breach. These costs savings or cost increases are a useful guide for management.
The top five steps that deceased costs in a data breach, in a descending order, were:
- Company had an incident response team – $14 USD cost per record decrease,
- Company extensively used encryption – $13.1 USD cost per record decrease,
- Involvement of business continuity management – $9.3 USD cost per record decrease,
- Training of employees – $9.3 USD cost per record decrease, and
- Participating in sharing of threat information – $8.7 USD cost per record decrease.
The above factors are among the best practices that every organization should consider as it regularly updates its breach protection and prevention policies and practices. While not in the top five interestingly the Ponemon Study shows that factors such as involvement of the board of directors and organizations that appointed a Chief Information Systems Officer each lead to cost reductions of $6.5 USD per record.
So what factors increase costs in a data breach? The Ponemon Study also identified those. The top five steps that increased costs in a data breach, in an ascending order, were:
- Involvement of third parties – $13.4 USD cost per record increase,
- Extensive cloud migration – $11.9 USD cost per record increase,
- Compliance failures – $11.9 USD cost per record increase,
- Extensive use of mobile platforms – $10.0 USD cost per record increase, and
- Lost or stolen devices – $6.5 USD cost per record increase.
The above data are among a checklist of factors that increase risk and need to be the subject of focused management attention. While not in the worst 5 factors, of note, was that being too quick to notify actually increased costs by $4.9 USD per record.
In Canada, the average number of records compromised in a breach were 22,275 records. If one applies the global costs per record above one can see the cost effectiveness of protective practices and the costs of certain risks from an economic perspective very quickly.
November 1, 2018 brought mandatory breach notification to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), following Alberta’s Personal Information Protection Act (PIPA) which has had such a law since 2010. Canadian organizations can expect that mandatory notification requirements will increase the attention paid to the protection of personal information.
The 2018 Ponemon Study is a useful guide for organizations that are reviewing the threat environment and making decisions on those practices and policies in order to mitigate the risks of data breaches.