Breaches, Damned Breaches and Their Statistics

Interesting conclusions about data breach costs emerge from two new studies, the 2015 Ponemon Institute’s Cost of Cyber Crime Study: Global and the 2015 NetDiligence® Cyber Claims Study. While the phrase alluded to in our title and popularized by Mark Twain might invite general skepticism about statistics, these two well-regarded studies leave no doubt that both data breaches and the average cost of addressing them are on the rise.

The Ponemon report found that the current year’s average internalized cost for a cyber crime suffered by a U.S. entity is $15 million, an almost 20% increase over the prior year’s average. The costs vary with the size of the breached entity, the number of records, the nature of the infiltration, the type of information affected, and the duration of the breach and the remediation.

The NetDiligence® report found that “hackers were the most frequent cause of loss” and that there was “insider involvement in 32% of the claims submitted” to insurers. The authors also noted that more claims are being submitted to insurers. The average claim payout from an insurer to an insured entity was $674,000, with more than 75% of the amount associated with crisis services (forensics, notification, credit/identity monitoring, legal guidance, and public relations). According to the report, costs for an insured organization are up to 30% lower than for an uninsured entity.

While the Ponemon Institute examined the costs of a breach and not who pays for it, the recent NetDiligence® report focused on the portion of breach costs and exposure covered and paid for by insurers. With different methodologies and purposes, information from the two reports is not intended to match up. However, both reports reveal ever-increasing numbers of cyber incidents, significant costs or potential exposure, and confirmation that the scope and effects of breaches can be wide-ranging.

The Ponemon study examines its field-based research, including interviews of senior-level personnel, of more than 500 organizations in seven countries. The NetDiligence® study is based on information from insurance underwriters about covered claims arising from data breaches and their costs.

Molly McGinnis Stine is a Partner and John F. Kloecker is Of Counsel in Locke Lord’s Chicago office. They can be reached at mmstine@lockelord.com and jkloecker@lockelord.com.