Canada second most expensive country for data breaches: IBM and Ponemon Institute study

Canada was the second most expensive country for data breaches, costing an average of $255 per lost or stolen record in 2017, according to a new report sponsored by IBM Security and conducted by the Ponemon Institute.

Released on Tuesday, the 2017 Cost of Data Breach Study: Canada report found that Canada was also the second most expensive country of those surveyed for malicious/criminal breaches at $156 per record. The Canadian research report examined the costs incurred by 27 Canadian companies from 12 different industry sectors following the loss or theft of protected personal data and the notification of breach victims as required by various laws.

In Canada, the average total cost of data breaches decreased from $6.03 million in 2016 to $5.78 million in the current year, although the lowest average total cost was $5.32 million in 2015, IBM said in a statement. Over the past year, the average total cost of data breach decreased by 4%, but the average breach size or number of records increased by 3%, the report noted. The number of breached records per incident this year ranged from 4,300 to 69,844, with an average of 21,750 records breached.

The report found that organizations that can contain a breach in less than 30 days save $1.79 million ($4.88 million compared to $6.67 million). However, on average, Canadian organizations took 173 days to identify a breach and 60 days to contain one. This year, the cost of notification in Canada also decreased from $180,000 per company on average in 2016 to $160,000. These costs include IT activities associated with the creation of contract databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures and inbound communication set-up.

IBM noted in the statement that certain industries have higher data breach costs: services ($398 per capita cost), financial services ($356) and technology ($340) companies had a per capita data breach cost above the mean of $255 ($278 in 2016). Public sector ($105), hospitality ($172) and transportation ($175) companies had a per capita cost well below the overall mean value. Investments in incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement or participation in threat sharing were shown to reduce the per capita and total cost of data breach, the statement added.

Of the $255 average per compromised record, $147 pertained to indirect costs, including abnormal turnover or churn of customers, and $108 was related to direct costs incurred to resolve the data breach, such as investments in technologies or legal fees.

From a global perspective, this is the first year the global total cost of a breach has declined in the history of the study, which began in the United States 12 years ago. The 2017 Cost of Data Breach Study: Global Overview said that the global average cost per lost or stolen record was US$141 (from $158 in 2016), with the number one factor to reducing the cost reported as having an incident response team in place (lowering the cost by US$19 per lost or stolen record).

The cost of a data breach also dropped 10% globally in the 2017 study to US$3.62 million from US$4 million. Since debuting in the U.S., the study has expanded to the following countries and regions: the United Kingdom; Germany; Australia; France; Brazil; Japan; Italy; India; Canada; South Africa; the Middle East (including the United Arab Emirates and Saudi Arabia); and the ASEAN region (including Singapore, Indonesia, the Philippines and Malaysia).

Another press release from IBM said that the company identified a close correlation between the response to regulatory requirements in Europe and the overall cost of a data breach. European countries saw a 26% decrease in the total cost of a data breach over last year’s study, the release said, noting that businesses in Europe operate in a more “centralized regulatory environment,” while businesses in the U.S. have unique requirements (48 of 50 states have their own data breach laws).

In the U.S., “compliance failures” and “rushing to notify” were among the top five reasons the cost of a breach rose in the U.S. As well, U.S. companies reported paying over $690,000 on average for notification costs related to a breach – more than double the amount of any other country surveyed in the report.

General global findings included the following:

• Canada was the third most expensive country for data breaches, costing organizations an average of US$4.31 million;
• The cost of a data breach in the U.S. was US$7.35 million, a 5% increase compared to last year;
• Organizations in the Middle East, Japan, South Africa and India all experienced increased costs in 2017 compared to the four-year average costs;
• Germany, France, Italy and the U.K. experienced significant decreases compared to the four-year average costs. Australia, Canada and Brazil also experienced decreased costs compared to the four-year average cost of a data breach;
• In the Middle East, organizations saw the second highest average cost of a data breach at US$4.94 million, a more than 10% increase over the previous year;
• In Brazil data breaches were the least expensive overall, costing companies only US$1.52 million;
• For the seventh year in a row, healthcare has topped the list as the most expensive industry for data breaches. Healthcare data breaches cost organizations US$380 per record, more than 2.5 times the global average across industries (US$141 per record);
• The involvement of third parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost US$17 per record; and
• Incident response, encryption and education were the factors shown to have the most impact on reducing the cost of a data breach. Having an incident response team in place resulted in US$19 reduction in cost per lost or stolen record, followed by extensive use of encryption (US$16 reduction per record) and employee training (US$12.50 reduction per record).