Just this year, in July, the personal data of 145 million people was stolen via the Equifax hack. In 2016, 3 billion Yahoo accounts were hacked. Large-scale data breaches are becoming a regular part of the news cycle. But that doesn’t mean that only giant multinational corporations are the only ones that face identity management risks. No matter the size of your company, compromised customer data costs money and customer loss.

And that’s why IBM conducts its Cost of Data Breach Study, an annual global sampling of hundreds of companies across a variety of industries. In 2017, its 12th year, the study spanned 11 countries with 493 countries participating

The main takeaway from this year’s inquiry is that, while the average total cost per company in terms of data breaches has dropped, larger scale data breaches have been happening. Though the average total cost of data breaches has dipped by 10%, these companies still face a 22.7% chance of a recurring breach over the next two years. Below, we’ll first explain how the costs are calculated, then list the major takeaways from this study.

Components of Data Breach Cost

Here’s how the cost of a data breach is calculated:


  • Loss of customers following data breach


Churn rate can result from customers directly affected by a data breach, or word of mouth leading to others abandoning a service provider. Compared to 2016, even more companies lost customers as a result of data breaches in 2017.


  • The size of the breach


1 + 1 = 2. The greater the number of records compromised, the more more it will cost to remedy the breach and its fallout.

  • The time it takes identify and contain a data breach

Between 2016 and 2017 companies were able to cut the time it took to identify a data breach from 201 days to 191, as well as cut the time it took to contain a breach from 70 to 66. The study suggests this is a result of more companies investing in security technologies, though increasing complexity in IT security architecture can actually increase breach containment time.

  • The detection and escalation of the data breach incident

“Detection and escalation costs include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.”

  • Post-data breach costs

“These costs include help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.” The United States had higher notification costs than any other country.

  • “An attack by a malicious insider or criminal is costlier than system glitches and negligence (human factor)”

The average cost of a malicious insider/criminal attack is $156 per record, while human error is $127 per record. The US experienced a higher rate of churn and higher average costs of data breach compared to most other countries.

The Biggest Implications of IBM’s Study


  • Global data breach costs have dropped, but . . .


Between 2016 to 2017, the average cost of data breach dropped by 10%. However, the number of records lost or stolen in each breach went up by 1.8%. It seems companies have gotten better at handling the fallout, but their IT security itself remains a huge vulnerability.


  • Healthcare data breaches cost 2.7 times the global average


While the average data breach cost is $141 per lost or stolen record, a healthcare organization faces an average cost of $380 per record.


  • Notification costs are the highest in the United States


“These costs include the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures, email bounce-backs and inbound communication setups.” In the US, average notification costs alone were $680,000 per incident.

  • The US spends the most on post-data breach response

“Post-data breach response activities include help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.” In the US, the average cost of this response was $1.56 million.


  • More records lost = higher cost of breach


The low-end average: $1.9 million for breaches with less than 10,000 compromised records.

The high-end average: $6.3 million where more than 50,000 records were compromised.


  • Identify and contain data breach sooner = lower costs


The average time to identify a breach: 191 days

The average time to contain a breach: 66 days


  • Hackers and criminal insiders cause the most data breaches.


47% of breaches in this study were caused by malicious or criminal attacks. The average cost per record to remedy these attacks was $156. At that rate, a breach of 10,000 records would cost $1,560,000. A breach of 50,000 records would cost $7,800,000.


  • Incident response teams + extensive use of encryption = reduced costs


Incident response teams: lowered breach costs by $19 per compromised record.

Extensive encryption: lowered costs by $16 per record.


  • CPO and security analytics GOOD, mobile platforms and compliance failures BAD


Appointment of a Chief Privacy Officer: reduced cost per compromised record by $3.

Security analytics: reduced cost by $7 per record.

Extensive use of mobile platforms: increased cost by $9 per record.

Compliance failures: increased cost by $11 per record.


  • Losing customers due to data breaches is more costly than you think


Companies that lost <1% of their customer base faced an average total cost of $2.6 million.

Companies that lost ≥4%, the average cost was $5.1 million.

US companies paid the most for losing customers: $4.13 million.

The Best Security Measures for Your Company

At tekMountain, one of nation’s emerging innovation and entrepreneurial centers, we’ve made identity management research a top priority across three industries: medtech, HR tech, and ed tech. But, no matter what space your company works in, your customers’ personal data is a costly asset that must be protected. The key to a strong identity security strategy is implementing technology specifically tailored to your industry. Contact tekMountain today to learn more about what identity management risks your company face and the best strategies to mitigate these vulnerabilities.


This blog was produced by the tekMountain Team of Sean AhlumAmanda Sipes, and Bill DiNome  with lead writer Zach Cioffi.

Comments are closed.