Winning? US Is Top in Corporate Data Breach Costs Thanks to Legal
An IBM and Ponemon Institute study found indirect costs such as litigation make the United States the most expensive country for corporations to suffer…
June 21, 2017 at 07:56 AM
5 minute read
The original version of this story was published on Law.com
An IBM and Ponemon Institute study found indirect costs such as litigation make the United States the most expensive country for corporations to suffer a data breach.
Implementing cybersecurity controls can be expensive and frustrating for companies, but dealing with the fallout from a breach is inevitably far more costly. And nowhere is that more evident than in U.S. corporations, which hold the distinction of having the highest data breach financial liabilities worldwide, according to the 2017 Cost of Data Breach Study.
The study was sponsored by IBM and conducted by the Ponemon Institute, which surveyed 419 corporations across 17 industries in 14 countries, including 63 corporations in the United States. On a per capita basis, U.S. corporations paid $225 per each lost or stolen record, up from the previous record of $221 in 2016, and far outpacing Canada, which held the second highest cost at $190 per record.
The average total cost of a breach in the United States reached $7.35 million per organization, up from $7 million in 2016 and topping the previous record of $7.24 million in 2011. The Middle East (which the study defined as the United Arab Empires and Saudi Arabia) had the second highest costs at $4.94 million per organization in 2017, followed by Canada at $4.31 million.
Larry Ponemon, chairman and founder of the Ponemon Institute, said the United States' high breach costs are the result of a multitude of legal and regulatory factors. “It's hard to know any other country that has what we currently have in terms of litigation and compliance fines from organizations like the FTC and so on.”
Such costs, he added, coupled with potential loss of business, can “turn into a very large sum of money.”Diana Kelley, executive security adviser at IBM Security, also singled out the scope and variety of legal liabilities an organization can face post-breach in the United States as a key driver of these costs.
“Depending on the breach, [you may] see different kinds of potential lawsuits,” she said. “So in some retailer breaches, for example, you could may see the people whose data was stolen bringing a part of a lawsuit. But also then the issuing bank, the bank that delivers out of the credit card for consumers, may also bring a lawsuit, because they now have to absorb the cost of re-issuing new credits cards to their customers who were impacted by the breach as well.”
Litigation expenses, compliance fines and loss of business, were categorized by the survey as “indirect costs” of a breach, and accounted for almost 65 percent of the average per capita breach expenses for U.S. organizations—the highest in the world.
Such indirect costs also include notification expenses, which in the United States rose to a record average high of $690,000 per organization in 2017, up from $590,000 in 2016, and topping the record of $660,000 in 2007. Organizations in the Middle East had the second highest notification costs in 2017, with an average of $270,000, followed by those in Denmark with $200,000.
Ponemon attributed these high costs to the “patchwork quilt” of U.S. breach notification laws “that make it just harder for organization to know how to report and who to report to.”
Kelley added that corporations operating in multiple states face additional difficulties, as 48 states currently have breach notification laws, “which are fairly complex.”
“Obviously some breach notifications you can template out, but when you got to make sure you meet [up to] 48 laws, that can create complexity in the response,” he added.
Though indirect expenses were significant driver of costs, companies across U.S. industries could mitigate—or increase—the financial burden of their data breaches depending on what cybersecurity protection processes they had in place and the nature of the breach itself. According to the survey, companies with an incident response team in place, for example, saved an average of $25.90 per lost or stolen record after a breach, while those who extensively used encryption saved $22.50 per record and those who trained their employees on cybersecurity procedures saved $16.80.
On the other hand, if a breach originated with or involved a third-party vendor, corporations faced a breach cost increase of $23.70 per lost or stolen record. And if the breach triggered some compliance failures, that added $19.30 per record as well.
Ponemon explained that while having an incident response plan enables an organization to more quickly limit the extent of the breach and its fallout, having a breach originate in a third-party vendor causes the organization to lose control over its response and protection.
“The reason for the increase of cost so substantially is because it's a lot harder to identify and then contain that data breach when it is not on premises,” he said.
Kelley added, “The threat surface gets much bigger as we share out data with third parties, which can really complicate efforts to contain when a breach occurs.”
Copyright Legaltech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllGC With Deep GM Experience Takes Legal Reins of Power Management Giant
2 minute readLegal Departments Gripe About Outside Counsel but Rarely Talk to Them
4 minute read'Serious Disruptions'?: Federal Courts Brace for Government Shutdown Threat
3 minute readUS Reviewer of Foreign Transactions Sees More Political, Policy Influence, Say Observers
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250