This year’s study examines the costs incurred by 54 U.S. companies in 14 industry sectors after those companies experienced the loss or theft of protected personal data and then had to notify breach victims as required by various laws. It is important to note the costs presented in this research are not hypothetical but are from actual data loss incidents. They are based upon cost estimates provided by the more than 450 individuals we interviewed over a ten-month period in the companies that are represented in this research.
The number of breached records per incident this year ranged from approximately 5,000 records to more than 99,000 records. This year the average number of breached records was 28,765. We do not include organizations that had data breaches in excess of 100,000 because they are not representative of most data breaches and to include them in the study would skew the results.
The report examines a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response of a data security breach. We also analyze the economical impact of lost or diminished customer trust and confidence as measured by customer turnover or churn.