An IBM and Ponemon Institute study found indirect costs such as litigation make the United States the most expensive country for corporations to suffer a data breach.

Implementing cybersecurity controls can be expensive and frustrating for companies, but dealing with the fallout from a breach is inevitably far more costly. And nowhere is that more evident than in U.S. corporations, which hold the distinction of having the highest data breach financial liabilities worldwide, according to the 2017 Cost of Data Breach Study.

The study was sponsored by IBM and conducted by the Ponemon Institute, which surveyed 419 corporations across 17 industries in 14 countries, including 63 corporations in the United States. On a per capita basis, U.S. corporations paid $225 per each lost or stolen record, up from the previous record of $221 in 2016, and far outpacing Canada, which held the second highest cost at $190 per record.

The average total cost of a breach in the United States reached $7.35 million per organization, up from $7 million in 2016 and topping the previous record of $7.24 million in 2011. The Middle East (which the study defined as the United Arab Empires and Saudi Arabia) had the second highest costs at $4.94 million per organization in 2017, followed by Canada at $4.31 million.

Larry Ponemon, chairman and founder of the Ponemon Institute, said the United States' high breach costs are the result of a multitude of legal and regulatory factors. “It's hard to know any other country that has what we currently have in terms of litigation and compliance fines from organizations like the FTC and so on.”

Such costs, he added, coupled with potential loss of business, can “turn into a very large sum of money.”

Diana Kelley, executive security adviser at IBM Security, also singled out the scope and variety of legal liabilities an organization can face post-breach in the United States as a key driver of these costs.

“Depending on the breach, [you may] see different kinds of potential lawsuits,” she said. “So in some retailer breaches, for example, you could may see the people whose data was stolen bringing a part of a lawsuit. But also then the issuing bank, the bank that delivers out of the credit card for consumers, may also bring a lawsuit, because they now have to absorb the cost of re-issuing new credits cards to their customers who were impacted by the breach as well.”

Litigation expenses, compliance fines and loss of business, were categorized by the survey as “indirect costs” of a breach, and accounted for almost 65 percent of the average per capita breach expenses for U.S. organizations—the highest in the world.

Such indirect costs also include notification expenses, which in the United States rose to a record average high of $690,000 per organization in 2017, up from $590,000 in 2016, and topping the record of $660,000 in 2007. Organizations in the Middle East had the second highest notification costs in 2017, with an average of $270,000, followed by those in Denmark with $200,000.

Ponemon attributed these high costs to the “patchwork quilt” of U.S. breach notification laws “that make it just harder for organization to know how to report and who to report to.”

Kelley added that corporations operating in multiple states face additional difficulties, as 48 states currently have breach notification laws, “which are fairly complex.”

“Obviously some breach notifications you can template out, but when you got to make sure you meet [up to] 48 laws, that can create complexity in the response,” he added.

Though indirect expenses were significant driver of costs, companies across U.S. industries could mitigate—or increase—the financial burden of their data breaches depending on what cybersecurity protection processes they had in place and the nature of the breach itself. According to the survey, companies with an incident response team in place, for example, saved an average of $25.90 per lost or stolen record after a breach, while those who extensively used encryption saved $22.50 per record and those who trained their employees on cybersecurity procedures saved $16.80.

On the other hand, if a breach originated with or involved a third-party vendor, corporations faced a breach cost increase of $23.70 per lost or stolen record. And if the breach triggered some compliance failures, that added $19.30 per record as well.

Ponemon explained that while having an incident response plan enables an organization to more quickly limit the extent of the breach and its fallout, having a breach originate in a third-party vendor causes the organization to lose control over its response and protection.

“The reason for the increase of cost so substantially is because it's a lot harder to identify and then contain that data breach when it is not on premises,” he said.

Kelley added, “The threat surface gets much bigger as we share out data with third parties, which can really complicate efforts to contain when a breach occurs.”

Copyright Legaltech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.