Data breaches have such wide-ranging effects that it’s tricky to pre-dict the financial damage they might do. But still predictions are made.
This month the Ponemon Institute released its annual study that examines the costs of data breaches in the previous year as well as the factors that raised or mitigated those costs. Cybersecurity attorneys say that the report, while providing the typical fodder for legal departments and C-suites to mull over when assessing their data breach risks, points out some topics such as Internet-of-Things devices that will require their further attention.
Among nations surveyed, the U.S. unsurprisingly had the highest aver-age total cost for a data breach last year at about $8 million, more than double the global average. That figure is expectedly rising as data breaches are increasing in size and exposing more records apiece. What is new in this year’s report, which surveyed 477 companies worldwide, is that it took into account whether they used artificial intelligence in their data security tools and whether they had extensive use of IoT devices.
According to the report, the average time it took for a company to identify a breach was 197 days, and the average time to contain it afterward was 69 days. But the reports tressed the effectiveness of certain measures, such as having an incident response team of attorneys, investigators and other experts in place. That alone lowered the average cost per compromised record by $14 per capita.
Christopher Achatz, a data privacy and security attorney at Boulder firm Koenig Oelsner Taylor Schoenfeld & Gaddis, noted that while the yearly Ponemon reports cite growing numbers in the average total costs for breaches, their findings can be “over-blown.” In Achatz’s experience, the average cost per data record margin-ally decreases as a data breach affects more records.
But the report’s central theme of breach readiness as cost mitigation still holds true, he said.“When you’re trying to reduce the cost of data breaches, the best thing you can do is identify them early and respond quickly,” Achatz said. If the company can respond swiftly and contain the breach within statutorily required timeframes, it is less likely to see its costs multiply through litigation and regulatory penalties.Failing to meet those timeframes of-ten brings negative media attention, which in turn can inflict repetitional damage on the company and the costs that come with that, Achatz added.
According to Denver-based Ballard Spahr partner and data privacy and security attorney David Stauss, what really begs further discussion in the report is the data breach risk a company assumes by using IoT devices. The Ponemon Institute estimated that “extensive IoT use” resulted in an average of breached companies spending $5 more per record. “[There port] just says you have more risk”by deploying IoT devices, “and not alot of discussion about why,” Stauss said.
Internet-connected devices, from computers to vehicles to home appliances, already outnumber the world’s population and could exceed 20 billion by 2020, according to research firm Gartner. “Everyone has an IoT device right now, and it’s called your phone,” Stauss said.
When the Ponemon report cites significant IoT use as a cost aggravator, it’s unclear on what constitutes “significant” use for a company, Stauss noted. He added, however, that there’s still the takeaway for companies that they need to address the emerging use of IoT.
The prevalence of IoT devices gives hackers that many more connected entry points for infiltrating a company’s data networks, and they can be especially vulnerable in and of themselves. “A lot of these IoT de-vices that are being pushed to mar-ket may not have [security] updates available, so they may have inherent vulnerabilities,” Stauss said.
There are “hidden” costs of data breaches that cybersecurity attorneys say companies would do well to consider, including the losses that occur from putting operations on hold. When a breach occurs, company leadership from the general counsel to the chief financial officer, not just the IT department, has to drop every-thing to respond to the incident. For those executives pausing other high-level tasks and projects carries a significant cost on its own, Stauss said.
Another cost that can be difficult to predict is customer churn. “If you’re having an issue that affects your customers, how does that affect how they view your company?” Stauss said.
In other words, are consumers making purchasing decisions based on who’s been hacked? “That’s up for debate right now,” Stauss said.There’s a theory that, consumers receiving an “overload” of breach re-porting may be more numb to new data breach reports as they proliferate.
The Ponemon report emphasized the benefit of having an incident response team ready in case of a breach. On average, that decreased the cost of breach by an average of $14 per compromised record last year. Achatz said that waiting until a breach occurs before engaging a forensic investigator, for example, can raise costs by making those ex-perts more expensive; in the heat of a breach, the company loses leverage in the cost-of-service negotiations.
— Doug Chartier