In a year already characterized by data breaches at recognizable healthcare organizations, such as CareFirst BlueCross BlueShield, and at major government entities, including the IRS, it's no surprise that victims' personal information is a hot commodity.
An annual study from the Ponemon Institute and IBM released on Wednesday found that the average cost per capita cost in a data breach increased to $217 in 2015 from $201 in 2014. Plus, the average total cost of a data breach increased to $6.5 million from $5.8 million the prior year.
The U.S. looked at 62 companies in 16 industry sectors after they experienced the loss or theft of protected personal data and then had to notify victims.
The cost per record takes into account indirect costs, such as abnormal turnover or churn of customers, as well as direct costs caused by the breach itself, including technology investment and legal fees. Only $74 was attributed to direct costs.
The study also noted, however, that not all records are seen as equal when stolen. Health records have an average cost of $398 each, whereas retail records cost $189 each.
Caleb Barlow, VP of security at IBM, said in an interview with SCMagazine.com that these cost discrepancies aren't surprising, given what can be done with the various records.
“A credit card [that can be gained from retailers] is something that the risk of it is really from the time it's breached until the credit card is replaced,” he said. “The half life is a very limited period of time versus a health care record that never changes. When the genie's out of the bottle you're not getting her back in.”
He went on to say healthcare breaches could impact victims for decades.
The study also identified factors that could both positively and negatively affect the cost of a data breach.
Having an incident response plan and team in place, for example, decreased the average cost to $193.2 million. On the other hand, third party breaches increased the average cost to $246 million.
These findings, Barlow said, reflect the necessity to plan ahead for breaches.
“[Data breach planning] should be at the same level you would consider any other major business risk,” he said. “It requires the same level of planning, the same level of rehearsal and the same level of practice.”
