How Much Money Does a Data Breach Cost?

Source: Thinkstock

Source: Thinkstock

As banks and retailers struggle to keep up with hackers, data breaches are becoming more and more common. According to research conducted by the Ponemon Institute in partnership with IBM, most data breaches are now the result of malicious or criminal attacks rather than simple human error, or other factors, such as glitches in programming.

As a consumer, data breaches are a pain. There is the threat of identity theft, or credit card fraud, and often consumers are forced to suspend their accounts or cards in an effort to set things right. But for retailers and banks, the cost of data breaches can be astronomical. According to the Ponemon Institute’s annual study, the total average cost of a data breach worldwide has increased 15% over the past year to more than $3.5 million.

If $3.5 million is average, you might be wondering, just how pricey were the most expensive data breaches of the past year? According to Ponemon, the priciest data breach to resolve cost the company nearly $31 million. Even the least expensive data breach in the study still cost the company upwards of $750,000.

The average cost for each lost or stolen record has also increased. According to the study, the cost per record increased by more than 9%, from $136 per record in 2013, to $145 per record in 2014; and those numbers are still higher in the U.S., where the average cost for each lost or stolen record is $201.

Even more disheartening than the increasing cost of data breaches is perhaps the regularity with which companies, retailers, and banks are faced with such threats. According to Ponemon, “companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month.”

Retailers and other companies aren’t the only ones frustrated by the increasing frequency of data breaches. Credit unions, for their part, are often frustrated that they are often the ones left to assist customers with the aftermath of a data breach, such as credit card fraud. According to a recent survey conducted by the Credit Union National Association (CUNA), September’s data breach at the retailer Home Depot cost credit unions nearly $60 million, and affected more than 7 million debit and credit cards.

“The cost to credit unions of data breaches — which seem to be occurring with increasing regularity – is rising, as the CUNA surveys clearly demonstrate,” said CUNA President and CEO Jim Nussie. “The bottom line,” he added, “is that credit union members end up paying the costs — despite the fact that the credit unions they own had nothing to do with causing the breach in the first place.”

According to Nussie, data breaches are encouraged by a lack of legislation. He notes that “the law and incentive structure today allow merchants to abdicate that responsibility [for the breach], making consumers vulnerable.” But other sources have said that the real barrier to better security lies in the fact that neither banks, credit unions, or merchants want to take the plunge and invest in more secure technologies.

Credit unions get particularly upset by data breaches because while they are not directly at fault, they are forced to incur large costs in order to reissue cards to every consumers whose data was affected. “Card reissuance is an expensive proposition,” CUNA Chief Economist Bill Hampel said, though he says that fraud is actually the most expensive component of costs following a data breach, accounting for about 60% of the total costs.

That reluctance to change, however, may eventually be outweighed by the costliness of suffering from a data breach. Larry Ponemon, founder of the Ponemon Institute, explains that taking a “strong security posture” is the best way to decrease the likelihood of a breach. He added that “with a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach.”

Further, it’s important for companies to have policies and procedures in place for dealing with data breaches when they do happen, because inevitably, they will continue to happen. “Efficient response to the breach and containment of the damage has been shown to reduce cost of breach significantly,” the Ponemon Institute study found.

Philip Dunkelberger, president and CEO of PGP Corporation, says that his company’s participation in the Ponemon study has made the severity and seriousness of data breaches abundantly clear. The study, he says, further demonstrates “that companies whose data is not protected are not only facing expensive direct costs from cleaning up a data breach, but also a loss in customer confidence that has long lasting ramifications.”

Nussie says that he believes more legislation is necessary, and in a press release, pleads that Congress take action. “The law and incentive structure today allow merchants to abdicate that responsibility, making consumers vulnerable,” Nussie said, adding that “Congress has a role to play in addressing the issue of merchant data breaches by making sure all of the participants are playing by the same set of data security rules, and that merchants who hold consumer data and allow that data to be breached, are responsible for the costs incurred by others.”

In reality, credit unions, companies, and banks are all responsible, to a certain degree. Jason Oxman, CEO of the Electronic Transaction Association, who spoke with NPR, says the real problem is that the technology we use to buy things and the structure that houses that technology are woefully antiquated. He points in particular to mag stripe credit cards, which, he says, were first introduced some 40 years ago.

So what’s the hold up? Experts say that banks and retailers have been at a bit of a standoff: Neither one wants to take the plunge to invest in new technology, and both are waiting for the other to overhaul the system. Meanwhile, consumers will just have to shop smart and keep a close eye on their transaction history.

More from Business Cheat Sheet: