What Do Data Breach Statistics Mean for the Real World?

It seems like with every newly announced breach, we see more statistics about data breaches—how much they cost, how large they are, who caused them, etc., etc., etc.  Fortunately, the magnitude of breaches we saw in PlayStation, Heartland, and TJMaxx don’t happen every day.  So, what do the statistics mean for the companies who experience the types of breaches we see on a daily basis?

The Ponemon Institute recently released its sixth annual report on the average cost of a data breach in the U.S. and estimates that the cost of breaches averages in the millions of dollars. We know that isn’t true for most breaches involving a lost laptop with a few thousand records on it or even an external hard drive with tens of thousands of records on it.  Still, the study does show several interesting trends. 

First, companies that notify affected individuals within one month of discovering a breach spend more per record than companies that notify affected individuals after one month following discovery of a breach.  So many times on our first call with the client, they will push to get the notifications out the door as quickly as possible.  This push can create inefficiencies which only increase costs or cause clients to spend extra money on fees for expedited handling and moving too quickly through the evaluation phase.   

The Ponemon Study also talks about costs decreasing when a company takes more than 30 days to respond.  Unfortunately, 30 days to some attorneys general is too long.    We know from experience that the attorney general in Indiana is monitoring response time very closely.

Verizon also recently issued its 2011 Data Breach Investigations Report.  That report found most of the breaches occurring in the hospitality and retail sector, with less than 1% occurring in the healthcare industry.  I think this data shows that it depends on who you are dealing with and who your clients are.  Sure, the Secret Service provided information to Verizon about its experiences, but the Secret Service is probably called in more frequently following a malware injection or hacking incident.  It is less likely that they, or Verizon, will be called in to investigate the loss of a blackberry, laptop, external hard drive, or other portable device.  I don’t think anyone can discount the affect HITECH has had on the healthcare industry—we are approaching the 10M mark for the number of individuals affected by reported healthcare breaches in the last 20 months!

Both the Verizon and Ponemon Institute’s studies suggest that breaches caused by malicious attacks are on the rise and that breaches caused by employees have decreased a bit.  We still see a lot of breaches being caused by forgetful employees.  They forget their computer in a coffee shop.  They forget patient records they are carrying in their rental car or on an airplane.  Education of employees may be on the rise, as well as the use of encryption, which is helping the percentage of incidents being caused by negligent employees, but we cannot underestimate how important it is to continue these efforts to help avoid these incidents. 

Another group we have some control over is that comprised of third-party vendors and business associates.  They continue to cause a large percentage of the breaches.  Unfortunately, old contracts and business associate agreements are not being dusted off and updated to reflect the current state of data breach notification laws.  I think we are going to see companies spending more time focusing on these issues, particularly as we approach the launch of the rules governing business associates under HITECH

If nothing else, the statistics we see reinforce the importance of implementing appropriate breach prevention and response measures.  With the ever-increasing costs of a breach and the prevalence of malicious attacks, it is vital that entities encrypt all sensitive/confidential personal data and maintain and enforce policies for safeguarding such data.  We must also strive to develop comprehensive breach response plans in order to promptly respond to any breach consistent with the requirements of applicable law while minimizing the costs of an early response.