National Study Underscores Best Strategies to Reduce the High Cost of a Data Breach

August 15, 2018

A national study by the Ponemon Institute shows the rising cost and risk of data breaches. On average data breaches cost a staggering $8 million per breach in 2017. Breaches are most costly in the health care arena with a cost per record of $408 compared to the next highest cost of $206 per record in the financial services sector. Expectations by customers for the security of their data are highest in highly regulated industries, including financial services and health care. As a result, a breach is most likely to lead to a loss of customers in those sectors. The following industries in the order listed below faced the highest frequency of breaches in 2017:

  • Financial services;
  • Services companies;
  • Manufacturers;
  • Technology companies;
  • Retailers; and
  • Public sector entities.


Proactive Steps to Mitigate Costs
The Ponemon Institute study highlighted the steps that companies took that were most effective in reducing the cost of a breach. The proactive measures that had the biggest impact on cost reduction were:

  1. Having an incident response team and plan in place that can respond quickly to a breach, initiate forensic and investigative activities, and manage communications to executive leaders and the board;

  2. Use of encryption for data in transmission and at rest; 

  3. Employee training; and

  4. Participation in threat sharing.

Other activities were found to increase the cost of a breach, including extensive use of cloud migration, the involvement of third parties in the breach, extensive use of mobile devices, and lost or stolen devices. 


Effective Breach Response
As noted above, in the Ponemon Study, effective, timely breach response was the single most effective factor in reducing the cost of a breach. Every organization should have a breach policy and plan that identifies the breach response team and details responsibility in the immediate aftermath of a breach. The team leader could be the Chief Security or Information Officer, a senior executive or legal counsel, but should have the authority within the organization to mobilize people quickly. Since undertaking forensic activities to identify the source and scope of the breach and determine how to curtail any ongoing damage and access by the cyberattack is critical, it is prudent for organizations to identify in advance the information technology experts they will retain in a breach. Likewise, organizations should determine the legal counsel they will call upon, in-house or outside, to identify quickly their legal obligations for notice to third parties and government and their legal risks. Counsel can also work with those leading the investigation to retain the attorney-client privilege. Leadership from operations, communications, and key affected areas of the company should also be part of the breach response team. Organizations should identify clear priorities for protection and restoration of data integral to operations in the event of a breach. In addition to a breach response policy, larger organizations undertake “tabletop” or simulation exercises of a breach to test their preparedness and consider the decisions that may arise. 

For questions about breach response policies, employee training, or other proactive steps to prevent or prepare for a breach, contact Tracy Miller, Co-Chair Cybersecurity and Data Privacy, or another member of our Cybersecurity and Data Privacy Practice Group.