top of page
  • Writer's pictureSarah Anderson

DATA BREACH METRICS FROM 2019 TO 2020: Overall Decrease in Cost, but Increase in Cost for Healthcare

Published by IBM Security, the Ponemon Institute released its 2020 Data Breach Report, which unsurprisingly a marked increase in the frequency data breaches in the USA. New metrics added to the report were: 1) Participants identifying the type of threat actors responsible for the attacks and motivations; and 2) Positive impacts felt by companies that engaged red teams to conduct internal vulnerability and penetration tests.

Please see the excerpted statistic below:

  • The average cost of a data breach decreased approx. 1.5% from $3.92 million last year to $3.86 million. However, the average total cost of a data breach has increased by 10% since 2014.

  • Incident response (IR) preparedness was the highest cost saver for businesses. The average total cost of a data breach for companies with an IR team that also had tested an IR plan was $3.29 million, compared to $5.29 million for companies with neither an IR team nor tests of the IR plan — a difference of $2 million. The cost difference between these groups was $1.23 million in the 2019 study.

    • Red team testing also decreased the cost of a data breach by $243,184.00.

  • 80% of breached organizations stated that customer PII was compromised during the breach, far more than any other type of record. The cost per record of customer PII increased to $175 in breaches caused by a malicious attack.

  • Anonymized customer data was involved in 24% of breaches in the study, at an average cost of $143 per record, which increased to $171 per record in breaches caused by malicious attacks.

  • Malicious attacks registered as the most frequent root cause (52% of breaches in the study), versus human error (23%) or system glitches (25%), at an average total cost of $4.27 million.

    • Malicious breaches took an average of 315 days to identify and contain.

    • Breaches caused by a system glitch took approximately 244 days to identify and contain.

    • Breaches caused by human error took 239 days to identify and contain.

  • Lost business costs accounted for nearly 40% of the average total cost of a data breach, increasing from $1.42 million in the 2019 study to $1.52 million in the 2020 study. Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.

  • Breaches caused by Nation-State actors or Advanced Persistent Threats, which accounted for 13% of the reported breaches, were the most expensive types of breaches – costing an average of $200,000 more than the most common type of breach.

  • 53% of breaches were carried out by financially motivated criminals, 13% by hacktivists and 21% remaining unknown.

  • On average, companies in the 2020 study required 207 days to identify and 73 days to contain a breach in 2019, combining for an average “lifecycle” of 280 days. While the lifecycle of a breach averaged 329 days in the healthcare sector, the average lifecycle was 96 days shorter in the financial sector (233 days).

  • Fully deployed security automation helped companies reduce the lifecycle of a breach by 74 days compared to companies with no security automation deployment, from 308 to 234 days.

  • Organizations subject to more rigorous regulatory requirements had higher average data breach costs.

  • Healthcare, energy, financial services, and pharmaceuticals experienced an average total cost of a data breach significantly higher than less regulated industries such as hospitality, media, and research.

    • Public sector organizations traditionally have the lowest cost of a data breach in this research because they are unlikely to experience a significant loss of customers following a data breach.

  • Energy, healthcare, and retail industries experienced the greatest increase in data breach costs.

  • Healthcare recorded the highest average time to identify and contain a breach at 329 days.

    • The average cost of a data breach in the health care industry increased by 10% since 2019, to $7,130,000.00.

    • 80% of 2020 healthcare industry breaches included PII records, with each PII record estimated to cost $150.00 per breach.

  • The financial industry had the slowest industry response time to identify and contain a data breach at 233 days.

  • The employment of a remote work force increased the average total cost of a data breach of $3.86 million by nearly $137,000.

40 views0 comments

Recent Posts

See All


Post: Blog2_Post
bottom of page