What a Data Breach Really Costs

Dealing with a data breach costs a lot of money, and it’s getting more expensive. That’s certainly bad news for the companies that suffer such attacks, but it hurts consumers, too, because companies may try to recoup financial losses by charging customers more for their goods and services.

This year, companies have paid an average of $500,000 more than they did when recovering from a data breach in 2013, according to the 2014 Cost of Data Breach Study from Ponemon Institute, which is sponsored by IBM. The annual report is based on interviews over a 10-month period with more than 500 people from 61 companies in 16 industries that suffered loss or theft of protected personal data. Data breaches cost an average $5.9 million overall and $201 per customer — both averages increased in the past year.

It’s actually a little worse than that, considering the most common cause of a data breach is also the most expensive. Forty-four percent of breaches stem from malicious, criminal attacks, which cost an average of $246 per compromised record.

What Makes Breaches Expensive?

Data breach costs are dictated by a variety of factors, from the source of the error to how quickly the company notifies its customers. On that note, immediate notification doesn’t always prevent damage: The research found breaches to be more costly (by an average of $15 more per person) when customers were alerted “too quickly without a thorough assessment or forensic examination.”

Here’s a less surprising statistic: Companies with a specific incident-response plan in place before the breach paid an average of $17 less per compromised record.

Companies also lose business after data breaches: In 2013, the cost of lost business was $3.03 million, and it increased to $3.2 million this year. Losing customers has a huge impact on cost, as does the size of the breach. All the things companies do in the wake of a breach have gotten pricier, too, including the investigation, product discounts, credit monitoring, legal fees and so on. Those “post-breach activities,” as the report calls them, increased from $1.41 million to $1.6 million in this year’s study.

Even though data-breach recovery expenses hit companies harder this year than last, other years have been worse. Ponemon Institute started this report in 2006 (when the average cost per compromised record was $138), and the costs in 2014 are lower than they were in 2009 ($202), 2010 ($204) and 2011 ($214).

There’s not much consumers can do about theses costs, but it’s smart to monitor your accounts for signs of a breach, so you can quickly address anything suspicious. The longer you wait to change login credentials or credit cards after getting hacked, the messier it will be for you to reverse any fraudulent activity. Checking your financial activity online daily will keep you alert to potential breaches, and you can also use your credit reports and credit scores as identity-theft detection tools. Using sites like Credit.com, you can get your credit scores for free and monitor them for any sudden changes, which could suggest fraud.