The cost per record of a data breach is about 58 cents per record, well below the widely accepted previous estimate of about $201 per record, according to Verizon's 2015 Data Breach Investigations Report.
Verizon's calculation was done in conjunction with NetDiligence, which aggregates data from cyber-insurance carriers. The data from Verizon and NetDiligence reflect actual cyber liability claims. The Data Breach Investigations Report (DBIR), released annually based on data provided by Verizon, its customers and partners, examined 191 insurance claims related to loss of payment cards, personal information and medical records.
The $201 per record estimate typically excludes breaches over 100,000 records and includes so-called soft costs like brand damage. Soft costs often don't show up in insurance claims and are difficult to calculate. The truth for most companies probably lies in the middle of 58 cents per record and $201.
Verizon is setting out to create a new formula for figuring out data breach risk. Perhaps the biggest takeaway is that the breach per record costs are steady whether the damage is caused by an insider or outsider. The latter category gets most of the attention.
"We were trying to capture the uncertainty of the impact from data breaches," says Jay Jacobs, senior analyst of Verizon's risk team and co-author of the DBIR report. "Analyzing claims information was a good next step."
Indeed, the findings by Verizon and NetDiligence will come in handy. It has been clear that companies that have been hit by a big data breach---TJX, Target, Home Depot to name a few---usually don't face the losses initially projected when the news of the security breach first breaks. In addition, if a company handles the breach transparently and communicates well the reputation hit is manageable.
Companies do get their act together on the security front after an attack damages their reputation, but the financial costs are absorbed relatively well.
Verizon noted in its report:
Larger organizations post higher losses per breach, but further investigation reveals the simple truth that they just typically lost more records than smaller organizations and thus had higher overall cost. Breaches with equivalent record loss had similar total cost, independent of organizational size. This theme played through every aspect of data breaches that we analyzed. In other words, everything kept pointing to records and that technical efforts to minimize the cost of breaches should focus on preventing or minimizing compromised records.
The report features a big section on methodology, but the bottom line is that the charts below reflect what an enterprise will have to pay for a data breach based on number of records lost.