Healthcare data breach resolution costs are still higher than all other industries, but the latest Ponemon Institute/IBM Security study has shown that for the first time ever, those costs have fallen year-over-year.
For seven years, Ponemon/IBM have been conducting their cost of a data breach study, and each year the costs of resolving data breaches has risen. However, this year, average breach resolution costs fell by around 10%. The average cost of a data breach is now $3.62 million globally with the average per record cost being $141.
Heavily regulated industries such as the financial services and healthcare face higher breach costs, with healthcare topping the list for seven consecutive years. Healthcare data breach resolution costs are now $380 per exposed or stolen record.
The financial services had the second highest breach costs at $336 per record, followed by the services sector ($274), life sciences ($264), industrial sector ($259), technology ($251) and education ($245). The lowest breach costs were for the entertainment industry ($131), research ($123) and the public sector ($110).
Breach resolution costs were higher for malicious or criminal attacks, which accounted for 52% of the breaches. System glitches and human error each caused 24% of breaches. The mean cost of a data breach caused by a malicious attack was $244 per record, with system glitches having a mean cost of $209 per record and breaches caused by human error cost $200 per record.
Numerous factors resulted in a reduction in breach costs, the most important of which was having a data breach response plan in place prior to a breach being experienced. Other factors that reduced breach costs were the use of encryption, employee training, BCM involvement and the use of data loss prevention technologies. Fast detection and containment of data breaches also significantly reduced breach costs. When the mean time to identify a breach was less than 100 days, the average breach cost was $5.99 million, although a mean time to identify a breach of more than 100 days had an average breach cost of $8.7 million.
Factors that increased breach costs were identified as third-party involvement, compliance failures, a rush to notify breach victims and extensive migration to the cloud.
The study involved an assessment of data breach costs across 16 industries, with the costs calculated for 63 companies. Breach costs were determined after the companies had sent breach notification letters to affected customers.