Data Security

Average Cost Per Record of US Data Breach in Ed: $245

• By Dian Schaffhauser
• 07/18/17

The average cost of a data breach in the United States rose for the fourth straight year, hitting $225 per compromised record--the highest it has been since 2006, when the Ponemon Institute began to publish research on the topic.

In education, which tends to be more heavily regulated regarding data privacy, the average "per capita" cost for 2017 in this country is even higher: $245. That's considerably more than the worldwide per-record cost in education of $200. (Per capita represents the total cost of the data breach divided by the number of lost or stolen records.)

According to Ponemon's "2017 Cost of Data Breach Study," the average total organizational cost across all segments, not just education, is $7.35 million, up almost five percent over last year's $7 million. The average number of records exposed was 28,512. The major component of that expense--about $1.51 million--is related to the business lost because of the breach: turnover of customers or "churn," increased customer acquisition cost, "reputation losses" and "diminished goodwill." Education, as an industry, experiences far less churn (1.8 percent) compared to other segments, such as financial or life sciences (7.1 percent and 5.7 percent, respectively).

The next largest portion of the expense ($1 million) is tied to detection and escalation efforts, such as forensics, root cause determination, identifying victims and organizing a response. That's followed by related services ($930,000), such as help desk operations, inbound communications, product discounts and setting up subscriptions to identity protection services for victims. The smallest aspect of the cost of a data breach is the expense of notifying the affected people and regulators; that equals about $199,000.

Ponemon reported that nearly half of U.S. data breaches (47 percent) are due to "malicious or criminal attack." These are also the most expensive type of breach to resolve. Another 28 percent come about through human error; and 25 percent occur because of "system glitches, including both IT and business process failures."

New factors that the research took into consideration as the results were being compiled included two areas of importance to schools: the extensive use of mobile platforms, which tacked an additional cost of $6.50 per record breached, and compliance failures, which added a whopping $19.30 per capita.

Compared to other types of organizations, education tends to take a long time to identify and contain data breaches. On average, worldwide, education takes 221 days for the first part of the work and 83 days for the second part. As a comparison, financial takes only 155 days to identify a potential breach and 34 days to respond and contain it. those aspects are important, the research noted, because the longer the duration of those two aspects of data breaches, the higher the cost to the organization.

The report offered several strategies for reducing the cost of future data breaches. For example, organizations that have an incident response team in place tend to lower the damage control cost per record by more than $19. Those that use encryption extensively save about $16. And a solid training program for employees has an impact of $12.50. These aren't cumulative because there's so much overlap, explained Researcher Larry Ponemon during a recent presentation covering the results of the report. "Companies that have an [incident response] team probably also use encryption extensively."

Keeping up with the bad guys "can be a problem," Ponemon added. However, in the many years he has studied data breaches, he has also seen a positive side: "Most organizations that we have studied over time have improved their security posture by using more and better technologies and relying more on intelligence [and becoming] more systematic in terms of how they approach the data breach event." That's a trend, he noted, "consistent across industries and also geographies."

The full study examined the cost of data breaches for 419 companies worldwide in 17 industries. IBM sponsored the research. Both the worldwide report and country-specific reports are available for registration on the IBM security website here.