IDG has the news of a new data breach study by the Ponemon Institute (sponsored by IBM Security) out today, and it reveals a steadily-worsening data breach threat picture. In this post, we briefly recount the numbers, and derive some lessons for mitigating the cost of breaches to organizations.
According to the report, security incidents soared by 64% from 2014 to 2015. The average cost of a breach (as of 2015) is now up to $4 million — a 5.5% increase from the year before, and up 30% from 2013. The average loss-per-record is $155 generally, and is worse in specially-regulated sectors like health care, which tips the scales at $355 per record. These costs are concentrated in cyber-forensics, consumer communications, legal, and regulatory.
Adding another nail to the coffin of the outmoded model of “perimeter defense” as the end-all, be-all of breach mitigation, Ponemon Institute’s Chairman Larry Ponemon has now declared “data breaches are a consistent cost of doing business.” This reflects the house view around here: of course, an ounce of prevention is worth a pound of cure, but no amount of perimeter defense “prevention” is a complete cure. And indeed, the proliferating breaches and rising breach costs suggest it’s not even a very good cure (more like: perimeter defense is basic threshold requirement to even possessing digital data in an organizational capacity). Part of the challenging reality here is the evaporation of any well-defined notion of an organization’s digital “perimeter,” with employees using their own devices and high staff turnover rates, SAAS, and globally-distributed organizations; another part is simply the one-step-ahead, rapidly-evolving sophistication of cyber-criminals.
In light of all of this, anti-breach efforts need to be rebalanced towards improving organizational process (both in security measures implementation and breach response) and legal risks mitigation, as well as rapid technological breach detection and mitigation.
There was ample evidence for these points in the study, e.g., simply having an incident response team was found to reduce the cost of a breach by nearly $400,000 on average. Speed also matters: breaches that were identified within 100 days cost an average of $3.23 million, while those discovered later cost an average of $4.38 million (the study found that the average time to identify a breach was a tear-jerking 201 days, with the average time to contain it and additional 70 days).
Between the lines of reports like this one, it becomes clear that containing the legal risks in particular factors heavily into reducing the legal and regulatory expenditures (occurrence of a breach notwithstanding). Examples include being aware of and prepared for all statutory and regulatory regimes that could impose breach-related penalties in addition to privacy tort liability, so that their costs can be avoided or eliminated through proactive measures; imposing data security-related legal rights and responsibilities in organizational contracts and policies to the fullest extent possible and prudent (even required); utilizing legal counsel for preparedness advisory as well as vendor coordination and communications so that sensitive data security and breach information is protected by attorney-client privilege; and having data security and breach legal counsel in advance, on a favorable billing model, so your organization is not caught scrambling and paying too much when an incident breaks out. While here at Borrero Law we can help with the entire data security/anti-breach picture, these last few items are where we, as a law firm, can provide special value over the panoply of vendors and consultants out there working to mitigate breaches.