Both small family-owned businesses and the world’s largest companies are at risk of ransomware, malware, phishing and other attacks. Depending on the extent of the breach and the type of information stolen, the cost of a data breach can exceed millions of dollars. Financial loss incurred after a data breach is not relegated solely to paying ransom, commissioning investigations and upgrading equipment. Data breaches can cost companies in myriad other ways. How much would a data breach cost your company? From fees levied by the government to higher insurance premiums, here are just a few horrible hidden costs of a data breach.
How Much Does the Average Data Breach Cost?
According to this report from IBM, the average data breach costs American organizations $9.44M USD. The global average cost is far lower. In 2022, IBM’s data breach report estimated the average cost of a data security breach worldwide at about $4.35M.
The average cost per record compromised or stolen during a data breach varies. This report based on IBM Security and Ponemon Institute research notes the average cost of a data breach per record in 2021 was $161. For personally identifiable information — not anonymized customer data –, the average cost of a data breach per record reached $180 USD.
Companies in the healthcare industry suffered the costliest data breaches. The average healthcare breach costs an average $10.10M total. Many expensive breaches also occurred in finance, manufacturing, education and public administration. This resource from Western Governors University notes that small businesses are an incredibly popular target for cyber criminals. According to WGU, “43% of cyberattacks [targeted] small businesses” back in 2019.
Unfortunately, experts predict that the number and cost of data breaches will likely increase in coming years. IBM’s report points to the continuing shift towards remote work and network organizational structures, noting that this distribution makes many companies more vulnerable.
What Costs Companies the Most When a Data Breach Occurs?
Companies incur many costs over the course of a data breach lifecycle. In an August 2022 post for Digital Guardian’s blog, Chris Brook breaks it down. Brook notes that determining the cause and extent of a breach, “responding to the breach” and suffering lost business cost companies the most. Brook writes that lost business alone “accounts for 38%” of total average breach cost globally.
Finding the source and determining the extent of a data breach costs companies “around $1.24 million” on average. According to IBM, stolen or compromised credentials were “the most common cause of a data breach [and] took the longest time to identify.” A data breach caused by stolen credentials typically results in far higher data breach costs than a breach with another source. Assembling an incident response team and addressing the fallout of a breach cost an average $1.14 million this year.
Of course, some costs are harder to quantify. Below are a few common data breach costs you might not have considered but which could impact your business.
Surprising Costs of a Data Breach
Fees Levied by the Government
One potential data breach cost is fees levied by the government. Regulatory fines are a common consequence for certain companies — especially those who suffered the loss of consumer data during a data breach incident.
For example, Equifax was subject to fines and an enormous settlement following its 2017 data breach. This September 2022 update from the FTC notes that the settlement “includes up to $425 million to help people affected by the data breach.” The Equifax data breach impacted more than 140 million people.
Lawsuits from Clients or Consumers
When customer data is lost or leaked during a data breach, a company could also face individual or class action lawsuits. However, the bar is high for customers hoping to sue. Contrary to popular opinion, consumers, customers and/or clients cannot always sue your company after a data breach exposes their personal information.
In an article for the Michigan Technology Law Review, Matt Garry identifies the main reason why not all companies are liable. According to Garry, “the duty to provide data privacy and security does not neatly fit into any established category in tort law.” This makes it difficult to establish injury and determine a company’s duty to their customers.
Of course, some companies bear greater responsibility to protect consumer data than others, and those could be sued in the event of a breach. For example, Equifax collects data relevant to consumer credit reports. Consumers cannot actually prevent this type of data collection. Because consumers cannot opt out, the FTC determined that Equifax bore a fiduciary duty to protect such data. Equifax was then held legally — and financially — liable for the 2017 breach.
Will More Consumers Be Able to Sue in the Future?
Congress, state governments and the Supreme Court are all weighing whether consumers should have a more established right to sue. Writing for Reuters in June 2022, Frederic D. Bellamy notes that the legal tide might be changing. These murmurs come after Equifax, Uber and Yahoo! data breaches resulted in massive class action settlements.
If recent Supreme Court decisions are any indicator, it might actually become more difficult to sue companies after a data breach. When responding to the case against TransUnion last year, the Court “raised the bar for putative class members to establish standing under the FCRA.”
The state in which consumers live or the company is headquartered also impacts the type of recourse affected parties might have. For example, California law explicitly states how much compensation consumers can receive following a breach. However, Bellamy acknowledges that “Congress is currently considering a federal bill [that] includes language to preempt many state data privacy laws.”
Cost to Upgrade Your Security System
Response to a data breach cost companies an average $1.14 million USD this past year. Of course, much goes into a company’s data breach response, and it is unclear how much was spent to upgrade a company’s cybersecurity protocol.
Cost to Determine the Origin and Extent of the Breach
As noted above, figuring out how a breach occurred and how much data it compromised is incredibly expensive for many companies. Writing for Digital Guardian’s blog, Chris Brook notes that figuring this out costs companies an average $1.24 million USD. In many cases, the longer it takes to “identify and contain a data breach,” the more it costs the company.
As such, attacks that go undetected for significant periods of time — such as those caused by stolen credentials — often cost more. According to this report from IBM, “stolen or compromised credentials…took the longest time to identify…at 327 days.” The report notes that “this attack vector ended up costing USD 150,000 more than the average cost of a data breach.”
Partial or Full Payment of the Ransom Demand
Cybercriminals typically base their ransom demand on a small percentage of the targeted company’s book value or annual revenue. This press release summarizing Sophos’ annual State of Ransomware 2022 notes that the average ransom demand has skyrocketed in recent years.
According to Sophos, “the average ransom paid by organizations that had data encrypted in their most significant ransomware attack [reached] $812,360” last year. 46% of those who received a ransom demand after breaches occurred chose to pay. A shocking “11% of organizations said they paid ransoms of $1 million or more.”
This article summarizing IBM’s 2022 data breach report found that some companies who paid their ransom did shell out a lower amount overall. According to IBM, those that paid “saw $630,000 less in average breach costs compared to those that chose not to pay.” This was not so for all companies.
Relying on insurance coverage to pay at least part of the ransom, some companies actually end up paying more in the end. According to IBM, “businesses that opt to pay the ransom could net higher total costs – all while inadvertently funding future ransomware attacks.”
Marketing Campaign Designed to Restore Consumer Trust
Damage to a company’s brand and reputation is yet another common data breach consequence. If knowledge of a data breach becomes public, it could significantly impact the company’s profitability and future success.
A 2018 Harris Poll survey found 75% of consumers will not buy from a company “if they don’t trust [it] to protect their data.” Given this, many companies craft and release a marketing campaign designed to restore consumer trust after a data breach.
The exact amount companies spend on marketing after a data breach is unclear. However, one report published in The American Journal of Managed Care in 2019 found a massive jump in marketing spend after hospital data breaches.
The report notes that “breached hospitals were associated with significantly higher advertising expenditures in the 2 years after the breach.” In fact, a hospital data breach “was associated with a 64% increase in annual advertising expenditures.”
We explore how data breaches impact a company’s brand in our upcoming post “What Happens to a Company’s Reputation After a Data Breach?”
Cost to Teach Employees About Better Cybersecurity Practices
Following a data breach, many companies choose to teach their employees about cybersecurity and internet safety best practices. This represents one of many data breach costs. Companies might hire a third party to host a symposium or explain the company’s new approach to data protection. They might also require employees to take cybersecurity courses.
According to Scott Steinberg in a 2019 article for CNBC, “just 3 in 10 employees currently receive annual cybersecurity training.” Given that “human error still remains one of the greatest threats to organizations’ well-being,” training could make a huge difference.
California-based computer consultancy Consilien estimates that such training will cost just “$10-$60 per employee per year.” However, the cost for security awareness training ranges depending on the size of a company’s workforce and the complexity of their operations. For many companies, the cost of training employees to resist phishing scams and other cyberattacks is well worth it.
Another cost of a data breach is lost revenue, which goes hand-in-hand with reputational damage and other consequences. Referencing key findings from IBM’s report in this Digital Guardian post, Chris Brook writes lost revenue “accounts for 38% of a breach’s total cost.” Small businesses are hit particularly hard, with more than half going out of business just six months after a data breach. Lost business likely contributes to this figure.
Higher Interest Rates
A data breach could also result in higher interest rates when companies attempt to borrow money. In fact, a recent study found that banks routinely charge higher interest when lending to companies that have experienced data breaches.
According to this press release detailing the American Accounting Association’s study, “several factors” contributed to higher interest rates on debt. Companies that had great cybersecurity reputations prior to the breach were quoted much higher rates than those with average reputations.
Similarly, a widespread data breach affecting many consumers or clients might result in higher interest rates. The study also found that “if the breach was the result of criminal hacking – rather than a mistake,” rates increased.
Insurance Premium Rate Increases
Unsurprisingly, insurance premiums also increase after a data breach. It is difficult to determine how much premiums increased after a breach. However, it stands to reason that the cause and extent of an attack could play a part.
A company’s premium might increase if it faces legal action or civil suits — like Equifax or TransUnion. As with interest rates, insurance premiums might go up if the breach was caused by a coordinated attack and not an employee error.
Of course, the growing risk of expensive cyberattacks means insurers are increasingly wary of covering companies in certain industries. This resource from the U.S. GAO reports that insurance premiums are on the rise regardless of whether a company’s data has been breached.
According to the GAO, “a number of insurers reduced coverage limits or increased premiums for higher-risk organizations and industries” last year. The GAO’s 2021 report found that “carriers are becoming less likely to include [such coverage], and are instead offering cyber coverage separately.”
Policies were more stringent and costs for coverage were even higher this year. Writing for CNBC in October, Bob Violino notes “cyber insurance premiums increased by an average of 28% in the first quarter of 2022.”
IP Loss and Erosion of a Company’s Competitive Edge
Another cost of data breaches is the loss of intellectual property and — consequently — erosion of competitive edge in a company’s industry. In their Deloitte Perspectives article “Seven hidden costs of a cyberattack,” Don Fancher and colleagues explain. Fancher writes that “loss of IP is an intangible cost associated with loss of exclusive control over…proprietary and confidential information.”
Losing intellectual property during a data breach “can lead to loss of competitive advantage, loss of revenue, and lasting…economic damage to the company.”
Like other consequences of data breaches, it can be difficult to pin down the exact dollar amount related to loss of intellectual property. According to Fancher et al., “the value of IP is estimated by approximating how much another party would pay to license that IP.”
Final Thoughts on the Costs of a Data Breach
From settlements with aggrieved customers to higher interest rates when borrowing money, this post focused primarily on financial data breach costs. In our closing paragraphs, we would like to acknowledge one other potential cost of data breaches. It might not always translate into a financial loss, but loss of human life is a very real consequence of some data breaches.
For example, a critical infrastructure data breach that impacts medical care or traffic lights can cost people their lives. In some cases, vital services provided by critical infrastructure organizations are cut off pending payment of a ransom. In other cases, important records that directly impact someone’s health or personal security are either lost or leaked. The highest costs of a data breach are not always monetary — or easily calculated.