According to a study conducted by IBM and the Ponemon Institute, the average total cost to a U.S. company of a data breach is nearly $7 million, with an average cost of more than $200 per record that is stolen or lost. Costs are higher in certain industries, such as health care and banking, which are subject to federal data breach notification laws under the Health Insurance Portability and Accountability Act (HIPAA) and the Graham Leach Bliley Act (GLBA).
Companies that sustain a data breach may incur significant forensic expenses or IT forensics, which are expenses required to identify, preserve, analyze, and recover information in computers and digital storage media for the purpose of detecting and investigating the source of the breach, repairing the resultant damage, and updating systems to protect against future losses.
Other costs incurred with a data breach include those that are required to:
-notify affected parties;
-pay legal expenses incurred during investigations and legal actions;
-pay compensation to affected customers;
-reissue compromised credit cards;
-hire public relations professionals to respond to adverse publicity;
-pay fines and penalties incurred due to noncompliance with pertinent laws and regulations;
-provide identity theft protection and credit monitoring services to affected individuals; and
-offer product discounts to parties affected by the breach.
In one highly publicized incident, a national retail chain was the victim of a data breach in which millions of customers’ credit and debit card records were stolen. The breach occurred at the beginning of the holiday shopping season and went undiscovered for nearly two weeks. The retailer paid millions of dollars to credit card issuers to cover their expenses in providing new cards to customers affected by the breach. The retailer was also named in several multi-million dollar class action lawsuits brought by banks and consumers.