Written by Martin P.J. Kratz QC
An important resource for those who study the impact of data breaches is updated for 2018. The 2018 Cost of Data Breach Study: A Global Overview was released by Ponemon Institute, LLC.
The Ponemon Study covers numerous countries and includes a continuing focus on Canada. Some Canadian statistics show the financial impact of data breaches.
Globally, Canada has the highest direct costs from a breach at US$81 per record including items such as engaging forensic experts, specialist law firm assistance, purchase of identity protection services and the like. Canada also had the second highest indirect costs at US$116 per record. Indirect costs include employees’ cost and effort to notify victims and investigate the breach, as well as the loss of goodwill and customer churn.
The study indicated that for Canada, half (50 percent) of breaches are caused by malicious or criminal activity, with 25 percent caused by system glitches and 25 percent caused by human error. The cost of such breaches vary by source of the breach as follows—US$170 per record for breaches due to malicious or criminal activity, US$130 per record for breaches due to system glitches and US$125 per record for breaches due to human error.
Globally, the average cost of a breach was US$3.86 million, up by 6.4 percent from the prior year, or a cost of US$148 per record.
A particularly interesting analysis looks at the factors that save costs in a data breach and those factors that increase the costs in a data breach. These cost savings or cost increases are a useful guide for management.
The top five steps that decreased costs in a data breach, in descending order, were:
- company had an incident response team—US$14 cost per record decrease;
- company extensively used encryption—US$13.1 cost per record decrease;
- involvement of business continuity management—US$9.3 cost per record decrease;
- training of employees—US$9.3 cost per record decrease; and
- participating in sharing of threat information—US$8.7 cost per record decrease.
The above factors are among the best practices that every organization should consider as it regularly updates its breach protection and prevention policies and practices. While not in the top five, interestingly the Ponemon Study shows that factors such as involvement of the board of directors and organizations that appointed a Chief Information Systems Officer each lead to cost reductions of US$6.5 per record.
So what factors increase costs in a data breach? The Ponemon Study also identified those. The top five steps that increased costs in a data breach, in ascending order, were:
- involvement of third parties—US$13.4 cost per record increase;
- extensive cloud migration—US$11.9 cost per record increase;
- compliance failures—US$11.9 cost per record increase;
- extensive use of mobile platforms—US$10 cost per record increase; and
- lost or stolen devices—US$6.5 cost per record increase.
The above data are among a checklist of factors that increase risk and need to be the subject of focused management attention. While not in the worst five factors, of note, was that being too quick to notify actually increased costs by US$4.9 per record.
In Canada, the average number of records compromised in a breach were 22,275 records. If one applies the global costs per record above, one can see the cost effectiveness of protective practices and the costs of certain risks from an economic perspective very quickly.
November 1, 2018, brings mandatory breach notification to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), following Alberta’s Personal Information Protection Act (PIPA) which has had such a law since 2010. Canadian organizations can expect that mandatory notification requirements will increase the attention paid to the protection of personal information.
The 2018 Ponemon Study is a useful guide for organizations that are reviewing the threat environment and making decisions on those practices and policies in order to mitigate the risks of data breaches.