Average Cost Per Record of US Data Breach in Ed: $245

The average cost of a data breach in the United States rose for the fourth straight year, hitting $225 per compromised record--the highest it has been since 2006, when the Ponemon Institute began to publish research on the topic.

In education, which tends to be more heavily regulated regarding data privacy, the average "per capita" cost for 2017 in this country is even higher: $245. That's considerably more than the worldwide per-record cost in education of $200. (Per capita represents the total cost of the data breach divided by the number of lost or stolen records.)

According to Ponemon's "2017 Cost of Data Breach Study," the average total organizational cost across all segments, not just education, is $7.35 million, up almost five percent over last year's $7 million. The average number of records exposed was 28,512. The major component of that expense--about $1.51 million--is related to the business lost because of the breach: turnover of customers or "churn," increased customer acquisition cost, "reputation losses" and "diminished goodwill." Education, as an industry, experiences far less churn (1.8 percent) compared to other segments, such as financial or life sciences (7.1 percent and 5.7 percent, respectively).

The next largest portion of the expense ($1 million) is tied to detection and escalation efforts, such as forensics, root cause determination, identifying victims and organizing a response. That's followed by related services ($930,000), such as help desk operations, inbound communications, product discounts and setting up subscriptions to identity protection services for victims. The smallest aspect of the cost of a data breach is the expense of notifying the affected people and regulators; that equals about $199,000.

Ponemon reported that nearly half of U.S. data breaches (47 percent) are due to "malicious or criminal attack." These are also the most expensive type of breach to resolve. Another 28 percent come about through human error; and 25 percent occur because of "system glitches, including both IT and business process failures."

New factors that the research took into consideration as the results were being compiled included two areas of importance to schools: the extensive use of mobile platforms, which tacked an additional cost of $6.50 per record breached, and compliance failures, which added a whopping $19.30 per capita.

Compared to other types of organizations, education tends to take a long time to identify and contain data breaches. On average, worldwide, education takes 221 days for the first part of the work and 83 days for the second part. As a comparison, financial takes only 155 days to identify a potential breach and 34 days to respond and contain it. those aspects are important, the research noted, because the longer the duration of those two aspects of data breaches, the higher the cost to the organization.

The report offered several strategies for reducing the cost of future data breaches. For example, organizations that have an incident response team in place tend to lower the damage control cost per record by more than $19. Those that use encryption extensively save about $16. And a solid training program for employees has an impact of $12.50. These aren't cumulative because there's so much overlap, explained Researcher Larry Ponemon during a recent presentation covering the results of the report. "Companies that have an [incident response] team probably also use encryption extensively."

Keeping up with the bad guys "can be a problem," Ponemon added. However, in the many years he has studied data breaches, he has also seen a positive side: "Most organizations that we have studied over time have improved their security posture by using more and better technologies and relying more on intelligence [and becoming] more systematic in terms of how they approach the data breach event." That's a trend, he noted, "consistent across industries and also geographies."

The full study examined the cost of data breaches for 419 companies worldwide in 17 industries. IBM sponsored the research. Both the worldwide report and country-specific reports are available for registration on the IBM security website here.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • a glowing gaming controller, a digital tree structure, and an open book

    Report: Use of Game Engines Expands Beyond Gaming

    Game development technology is increasingly being utilized beyond its traditional gaming roots, according to the recently released annual "State of Game Development" report from development and DevOps solutions provider Perforce Software.

  • abstract representation of equity at the core of AI

    Why Equity Must Be a Core Part of the Conversation About AI

    AI is an immensely powerful tool that can provide customized support for students with diverse learning needs, tailoring educational experiences to meet student’s individual needs more effectively. However, significant disparities in AI access and digital literacy skills prevent many of these same students from fully leveraging its benefits.

  • Man wearing headset working on a computer

    Internet2: Network Routing Security and RPKI Adoption in Research and Education

    We ask James Deaton, vice president of network services, about Internet2's initiatives and leadership efforts to promote routing security and RPKI adoption in research and higher education networks.

  • network of transparent cloud icons, each containing a security symbol like a lock or shield

    Okta, OpenID Foundation Propose New Identity Security Standard

    Okta and the OpenID Foundation have announced the formation of the IPSIE Working Group — with the acronym standing for Interoperability Profiling for Secure Identity in the Enterprise — dedicated to a new identity security standard for Software-as-a-Service (SaaS) applications.