Using Real World Metrics to Calculate Today’s Cost of a Data Breach

The Scary Truth

It now takes an average of 31 days at a cost of $20,000 per day to clean up and remediate after a cyber attack

- Ponemon Institute, 2014

This presentation leverages metrics from the 2014 Ponemon Institute Study

• Conducted annually since 2005

• Analyzed 314 breaches in 16 industry sectors

• 61 of those breaches were in the United States

• Industries represented include financial, retail, healthcare, technology, and pharmaceutical

Costs of a Data Breach

$201 Per Record*

• Direct Costs: $66– Legal defense costs

– Audit and consulting services

– Public relations, communications with customers, etc.

• Indirect Costs: $135– Lost business

– Increased costs to acquire new customers

– In-house investigations, etc.

• Financial Industry Costs: $236 average per record

*2005 Survey - $138, 2013 Survey - $188, 2005-2014 Average - $191

Costs of a Data Breach

• 44% involved malicious or criminal acts

– Malware, criminal insiders, phishing/social engineering, SQL injection

– Cost per record of $246

• 31% involved “human error”

– Negligent or careless employees

– Cost per record of $171

• 25% involved system “glitches”

– Cost per record of $160

Costs of a Data Breach

• Average breach size: 29,087 records*

• Average notification costs: $509,000

• Average total cost: $5.85 million

• Abnormal customer churn increased 15% between 2013-2014

* By design the Ponemon survey excludes breaches greater than 100,000 records

What increases costs?

$10

$43

$37

$3

$18

$25

$15

($13)

($20)

($10)

$0

$10

$20

$30

$40

$50

Lost or stolen devicesBreaches involving third-

parties Notifying too quickly Engaging consultants

2013 2014

What decreases costs?

*2014 was the first year BCDR was included in this survey; therefore, there is no historical data.

($34)

($42)

($23)($21)

($17)

($13)

($10)

($45)

($40)

($35)

($30)

($25)

($20)

($15)

($10)

($5)

$0

Having a strong securityposture

Having a formal incidentresponse plan in place

prior to the breachHaving a formal BCP in

place prior to the breach* Employment of a CISO

2013 2014

Real-World Example

Department of Veterans Affairs

• May 3, 2006, an employee copied data onto a laptop and took it home without authorization

• The data was neither encrypted nor password protected

• The laptop was stolen

• The laptop was recovered a month after the theft with no evidence that the data was accessed or used

Real-World Example

Department of Veterans Affairs (cont’d)

• The data copied to the laptop included records on every American veteran discharged since 1975

– 26,500,000 veterans exposed, including their names, dates of birth, and social security numbers

– VA later revised estimate to include an additional 2.1 million active and reserve service members

• $7 million in notification costs

• $7 million in call center costs

• $20 million class action settlement

Real-World Example

Ohio State University

• December 2010, “hackers” gained access to a university server containing the personal information of over 760,000 current, former, and prospective students and faculty

• The information included names, social security numbers, dates of birth, etc.

Real-World Example

Ohio State University (cont’d)

• A year of free credit monitoring

• Dedicated call center for issue resolution

• Third-party forensic services were engaged to investigate

• All victims were notified in writing

• There was no evidence that access records were exploited

• The costs for the notification, investigation, and remediation exceeded $4 million

References

• Ponemon Institute, “Cost of Data Breach Study”

• Zurich General Insurance, “Cost of a Data Breach”

• Kaspersky “Global Corporate IT Security Risks”

• American Bankers Association “Target Breach Impact Study”

• Verizon “Data Breach Investigations Report”

• Information Week “8 Most Common Causes of Data Breaches”

• Symantec “Internet Security Threat Report”

• PWC/CERT/CSO Magazine “US State of Cybercrime Survey”

For more educational content from TraceSecurity,

• Download thought leadership

• Watch webinars on-demand

• Read our blog, and

• Receive our monthly newsletter

• Follow us on social:

www.tracesecurity.com ©2014 TraceSecurity, Inc. All rights reserved worldwide.