Average Cost Per Record of US Data Breach in Ed: $245

The average cost of a data breach in the United States rose for the fourth straight year, hitting $225 per compromised record--the highest it has been since 2006, when the Ponemon Institute began to publish research on the topic.

In education, which tends to be more heavily regulated regarding data privacy, the average "per capita" cost for 2017 in this country is even higher: $245. That's considerably more than the worldwide per-record cost in education of $200. (Per capita represents the total cost of the data breach divided by the number of lost or stolen records.)

According to Ponemon's "2017 Cost of Data Breach Study," the average total organizational cost across all segments, not just education, is $7.35 million, up almost five percent over last year's $7 million. The average number of records exposed was 28,512. The major component of that expense--about $1.51 million--is related to the business lost because of the breach: turnover of customers or "churn," increased customer acquisition cost, "reputation losses" and "diminished goodwill." Education, as an industry, experiences far less churn (1.8 percent) compared to other segments, such as financial or life sciences (7.1 percent and 5.7 percent, respectively).

The next largest portion of the expense ($1 million) is tied to detection and escalation efforts, such as forensics, root cause determination, identifying victims and organizing a response. That's followed by related services ($930,000), such as help desk operations, inbound communications, product discounts and setting up subscriptions to identity protection services for victims. The smallest aspect of the cost of a data breach is the expense of notifying the affected people and regulators; that equals about $199,000.

Ponemon reported that nearly half of U.S. data breaches (47 percent) are due to "malicious or criminal attack." These are also the most expensive type of breach to resolve. Another 28 percent come about through human error; and 25 percent occur because of "system glitches, including both IT and business process failures."

New factors that the research took into consideration as the results were being compiled included two areas of importance to schools: the extensive use of mobile platforms, which tacked an additional cost of $6.50 per record breached, and compliance failures, which added a whopping $19.30 per capita.

Compared to other types of organizations, education tends to take a long time to identify and contain data breaches. On average, worldwide, education takes 221 days for the first part of the work and 83 days for the second part. As a comparison, financial takes only 155 days to identify a potential breach and 34 days to respond and contain it. those aspects are important, the research noted, because the longer the duration of those two aspects of data breaches, the higher the cost to the organization.

The report offered several strategies for reducing the cost of future data breaches. For example, organizations that have an incident response team in place tend to lower the damage control cost per record by more than $19. Those that use encryption extensively save about $16. And a solid training program for employees has an impact of $12.50. These aren't cumulative because there's so much overlap, explained Researcher Larry Ponemon during a recent presentation covering the results of the report. "Companies that have an [incident response] team probably also use encryption extensively."

Keeping up with the bad guys "can be a problem," Ponemon added. However, in the many years he has studied data breaches, he has also seen a positive side: "Most organizations that we have studied over time have improved their security posture by using more and better technologies and relying more on intelligence [and becoming] more systematic in terms of how they approach the data breach event." That's a trend, he noted, "consistent across industries and also geographies."

The full study examined the cost of data breaches for 419 companies worldwide in 17 industries. IBM sponsored the research. Both the worldwide report and country-specific reports are available for registration on the IBM security website here.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • Training the Next Generation of Space Cybersecurity Experts

    CT asked Scott Shackelford, Indiana University professor of law and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance, about the possible emergence of space cybersecurity as a separate field that would support changing practices and foster future space cybersecurity leaders.

  • person typing on a touch screen schedule plan calendar

    2025 Tech Tactics in Education Conference Agenda Announced

    Registration is free for this fully virtual May 7 event, focused on "Thriving in the Age of AI" in K-12 and higher education.

  • illustration of a human head with a glowing neural network in the brain, connected to tech icons on a cool blue-gray background

    Meta Launches Stand-Alone AI App

    Meta Platforms has introduced a stand-alone artificial intelligence app built on its proprietary Llama 4 model, intensifying the competitive race in generative AI alongside OpenAI, Google, Anthropic, and xAI.

  • glowing AI text box emerges from a keyboard on a desk, surrounded by floating padlocks, warning icons, and fragmented shields

    Study: 1 in 10 AI Prompts Could Expose Sensitive Data

    Nearly one in 10 prompts used by business users when interacting with generative artificial intelligence tools may inadvertently disclose sensitive data, according to a study released by data protection startup Harmonic Security Inc.