June 20, 2017 by Canadian Underwriter
Canada was the second most expensive country for data breaches, costing an average of $255 per lost or stolen record in 2017, according to a new report sponsored by IBM Security and conducted by the Ponemon Institute.
Released on Tuesday, the 2017 Cost of Data Breach Study: Canada report found that Canada was also the second most expensive country of those surveyed for malicious/criminal breaches at $156 per record. The Canadian research report examined the costs incurred by 27 Canadian companies from 12 different industry sectors following the loss or theft of protected personal data and the notification of breach victims as required by various laws.
In Canada, the average total cost of data breaches decreased from $6.03 million in 2016 to $5.78 million in the current year, although the lowest average total cost was $5.32 million in 2015, IBM said in a statement. Over the past year, the average total cost of data breach decreased by 4%, but the average breach size or number of records increased by 3%, the report noted. The number of breached records per incident this year ranged from 4,300 to 69,844, with an average of 21,750 records breached.
The report found that organizations that can contain a breach in less than 30 days save $1.79 million ($4.88 million compared to $6.67 million). However, on average, Canadian organizations took 173 days to identify a breach and 60 days to contain one. This year, the cost of notification in Canada also decreased from $180,000 per company on average in 2016 to $160,000. These costs include IT activities associated with the creation of contract databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures and inbound communication set-up.
IBM noted in the statement that certain industries have higher data breach costs: services ($398 per capita cost), financial services ($356) and technology ($340) companies had a per capita data breach cost above the mean of $255 ($278 in 2016). Public sector ($105), hospitality ($172) and transportation ($175) companies had a per capita cost well below the overall mean value. Investments in incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement or participation in threat sharing were shown to reduce the per capita and total cost of data breach, the statement added.
Of the $255 average per compromised record, $147 pertained to indirect costs, including abnormal turnover or churn of customers, and $108 was related to direct costs incurred to resolve the data breach, such as investments in technologies or legal fees.
From a global perspective, this is the first year the global total cost of a breach has declined in the history of the study, which began in the United States 12 years ago. The 2017 Cost of Data Breach Study: Global Overview said that the global average cost per lost or stolen record was US$141 (from $158 in 2016), with the number one factor to reducing the cost reported as having an incident response team in place (lowering the cost by US$19 per lost or stolen record).
The cost of a data breach also dropped 10% globally in the 2017 study to US$3.62 million from US$4 million. Since debuting in the U.S., the study has expanded to the following countries and regions: the United Kingdom; Germany; Australia; France; Brazil; Japan; Italy; India; Canada; South Africa; the Middle East (including the United Arab Emirates and Saudi Arabia); and the ASEAN region (including Singapore, Indonesia, the Philippines and Malaysia).
Another press release from IBM said that the company identified a close correlation between the response to regulatory requirements in Europe and the overall cost of a data breach. European countries saw a 26% decrease in the total cost of a data breach over last year’s study, the release said, noting that businesses in Europe operate in a more “centralized regulatory environment,” while businesses in the U.S. have unique requirements (48 of 50 states have their own data breach laws).
In the U.S., “compliance failures” and “rushing to notify” were among the top five reasons the cost of a breach rose in the U.S. As well, U.S. companies reported paying over $690,000 on average for notification costs related to a breach – more than double the amount of any other country surveyed in the report.
General global findings included the following: