Calculating the costs of data breaches to the organizations victimized is no simple matter. Those costs can include everything from direct expenses for mitigating the attack to lost customers to legal fees and regulatory fines. Once all those variables are taken into account, it’s possible to rank the cost of breaches by industry sector. Sitting at the top of the “most-expensive” list worldwide are two somewhat surprising sectors: healthcare and education.
This finding was recently published by the Ponemon Institute in a global report on the cost of data breaches. While the average data breach cost across all industries was $158 per lost or stolen record, the average cost per lost healthcare record was $355, and was $246 for each education record lost. At the other end of the spectrum, the average cost of a lost public sector record was just $80, and that of a lost research industry record just $112.
Why the big range in cost impacts? One reason is higher fines in heavily regulated industries. Most people know about the Health Insurance Portability and Accountability Act (HIPAA), which imposes strict controls on protecting medical records and penalties for their exposure. Don’t forget, though, that universities and other institutions store more than just students’ academic records. They also hold financial information, Social Security numbers, medical records and other sensitive data. As such, these institutions can also face significant regulatory fines when they suffer cyberbeaches.
Another key variable in Ponemon’s cost calculations is customer churn – the loss of customers in the wake of a data breach. This factor isn’t significant in the case of educational institutions, as it’s no simple matter for a college student to change schools. On the flip side, the health sector saw the second highest post-breach churn rate, second only to the financial sector. (The financial sector, another heavily regulated industry, ranked third highest in the average cost per lost record at $221.)
Some cost factors are far from obvious. For example, the factor that can most increase the cost of a data breach is third-party involvement in the breach, according to Ponemon. Breaches resulting from the loss or theft of a mobile device are also more costly than other forms, which is likely an issue in the healthcare sector. “The California Data Breach Report,” published by the California Attorney General in February 2016, found that nearly 40 percent of the health sector breaches reported in the state in 2015 resulted from lost or stolen electronic devices.
Understanding the particular industry challenges – and costs – associated with cyberbreaches should be an important element of every organization’s cybersecurity planning and strategizing. Organizations in relatively low-cost sectors can’t afford to be complacent, of course. Even if the average breach costs are low compared to other industries, a severe breach can prove devastating for the organization, its employees and its customers.
Ultimately, every organizations can learn a lot by understanding the sources of post-breach costs, and by building their defenses and strategies with an eye toward minimizing those financial impacts.
Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.