Slideshow Data: How destructive are data breaches?

Published
  • March 14 2018, 12:32pm EDT

While there is a collective sense that data breaches are simply a side effect of our digital existence, there are real costs for the companies impacted. The ones that are hit the hardest are the ones that are least able to weather the fines, remediation costs and lost reputation.

This week’s data slides complement this analysis of data breach penalties to provide quantitative data on the current state of the data breach landscape and the associated costs.

According to 2017 data from Netdiligence, the cost of data breaches is declining. With a peak of $3.6 million as the average cost of a breach in 2012, costs have steadily declined year on year, despite notable breaches such as Target and Home Depot occurring in 2013 and 2014.

Total breach costs for the claims submitted in years 2014–2017 were $202 million. The smallest breach cost reported was just $110 while the largest was $16.8 million. The average cost for the period 2014–2017 was $394,000.

Content Continues Below


One of the most significant cost elements of a data breach is crisis management. Eighty-seven percent of claims (2014–2017) included costs for one or more components of crisis services. The smallest claim was $14, while the largest claim was $8.2 million. The average for crisis services was $249,000.

Of the claims that detailed the component costs of crisis management, 62% included forensics, 31% included notification, 26% included credit/ID monitoring and 76% included legal guidance.

The breaches that cost the most are a result of malicious attacks.

According to The Ponemon Institute, malicious attacks cost an average of $155.6 per capita in 2016. However, inadvertent data breaches also cost dearly. Incidents occurring as a result of a system glitch cost an average of $128.1 per capita and those caused by human error cost an average of $125.8 per capita.

Irrespective of the root cause, there is no denying that data breaches cost dearly.

While there may be an expectation that the majority of data breaches occur in financial services and retail due to these sectors being rich in highly sought payment card information, the two most frequently targeted verticals are health care and professional services, each responsible for 18% of data breaches.

Financial services and retail come in third and fourth place, with these industries being responsible for 13% and 11% of data breaches respectively.

Reflecting the lack of valuable data such as PCI and PII, education and hospitality are both responsible for just 4% of data breaches.

Content Continues Below


One of the most damaging aspects of a data breach can be the long-term reputational damage and the cost of lost business, highlighting the importance of a good recovery from a bad incident.

If less than 1% of customers take their business elsewhere, the average cost of this loss is $2.6 million. However, an increase to 3-4% of customers leaving nearly doubles the cost.

For large organizations, the likelihood of a high percentage of customers defecting is reduced due to the sheer size of their customer base. For smaller institutions, the defections can be far more pronounced and ultimately far more damaging.

The sad fact is that the largest companies where some of the most egregious breaches have occurred are far better equipped technologically, financially and reputationally to survive a data breach than smaller companies. Not only can they endure larger losses of customers due to their scale and have the ability to invest in best in class fraud detection and prevention tools, but their size also benefits them in other ways.

In 2016, the average cost of a data breach for a company of $50 million in revenue was $195,000. For a company of $10 billion in revenue, the average cost of a breach was $1.6 million.

Meaning, a company of $50 million in revenue incurs losses equivalent to 0.39% of annual revenue, whereas a company of $10 billion in revenue incurs losses equivalent to just 0.02% of annual revenue. This gives further credence to the phrase “too big to fail.”