|News & Information|
Average Cost of a Data Breach Rose in 2013
IBM and the Ponemon Institute recently released the results of the 2014 Cost of Data Breach Study, which analyzed the costs incurred by more than 60 U.S. businesses that suffered a data breach in 2013. Results of the survey showed the average per record cost of a data breach to be $201, reversing a two-year decrease ($188 in 2013 and $194 in 2012). Similarly, the organizational cost of a data breach also rose for the first time in two years to $5.9 million, up from $5.4 million in 2013 and $5.5 million in 2012.
The study calculates the cost of a data breach by adding the average of the direct expenses (contracting forensics, providing credit monitoring to customers, providing discounts for products and services in the future, etc.) and indirect expenses (cost of losing customers, conducting internal investigations, etc.) that a company incurs after suffering a breach.
Companies in the health care sector were hit the hardest by a breach in 2013, with an average per record cost of $316. Following the health care sector were the transportation ($286 per record), education ($259), energy ($237) and financial ($236) sectors. The hospitality ($93), retail ($125) and public ($172) sectors all came in well below the $201 average per record cost.
What were the main root causes of a data breach? According to the study, 44 percent of breaches were due to a malicious or criminal attack, up from 41 percent in 2012. System glitches accounted for a quarter of breaches, down 1 percent from 2012, and human error accounted for 31 percent of breaches, down from 33 percent in 2012. Malicious or criminal attacks were not only the most common causes, they were also the most costly, averaging $246 per record.
The average cost of notifying affected customers decreased in 2013 for the first time since 2007 to just over $500,000 per breach. This is a hefty total for any company, but can particularly cripple small businesses that may not have the extra cash lying around to not only notify customers there has been a breach, but to stay in business altogether.
The 2014 study is the first time the study results included the odds of a company suffering at least one data breach in the next 24 months. According to the research, Ponemon can estimate how likely a company will have another breach based on how many records were lost in the breach studied and to what industry the company belongs. Based on the aggregate probabilities of all the studied companies, it is estimated that suffering a breach of at least 10,000 records in the next 24 months is about 19 percent, while the likelihood of a breach of more than 100,000 records is less than 1 percent.
Although the statistics are grim, there are many ways companies in every sector can help minimize the effects of a data breach before it happens. Train your workers on security basics; use encryption wherever possible; implement an incident response plan; strengthen your network security; and conduct regular audits of your company’s security systems.
Data Breaches Are a Growing D&O Risk
We know all about the massive data breach Target suffered during the last winter holiday shopping season—data stolen from 40 million credit and debit cards, along with 70 million customer information records—and now we’re seeing the aftermath of the event. Chairman of the Board, President and CEO Gregg Steinhafel stepped down in early May after the company received backlash from not responding to the breach as quickly and efficiently as possible.
In addition to dozens of lawsuits being filed against the company by banks and consumers affected by the breach, shareholders have also taken action against the company, alleging that Target’s directors and officers (D&O) didn’t manage the situation properly. One of the lawsuits claims that Target’s board of directors “failed to take reasonable steps to maintain its customers’ personal and financial information in a secure manner.” The shareholders seek monetary damages and cooperation by Target management to prevent a breach like this from ever happening again.
Fortunately for Target and other companies, there are insurance options available to mitigate the risk to D&Os. A D&O policy provides coverage for a “wrongful act,” such as an actual or alleged error, omission, misleading statement, neglect or breach of duty, and the policy is designed to handle lawsuits such as the ones brought on by shareholders. A typical cyber liability policy covers damage done to a business, but not the actions (or lack of action) of D&Os, specifically.
After a data breach, shareholders and customers will most likely make claims. Without D&O coverage, your personal assets are at stake and could be forfeited to cover legal costs. You can protect yourself and your assets after a data breach with a D&O insurance policy. Talk to your insurer about this type of coverage and be sure your policy is tailored to cover any gaps.
|Participating Member In|