In a recent report, IBM reported the findings of a Ponemon Institute research project as far as the cost of a data breach. In their research, the Institute examined 537 breaches across 17 countries and 17 different industries. Part of that study involved conducting 3,500 interviews specifically targeted at determining how much companies spent on identifying a breach and the cost of actions post breach.

Calculating a Data Breach Cost

The report used information in breaches ranging in size from 2,000 to 101,000 records. The method used to estimate the cost of a data breach is a process called activity-based costing and is divided into four main process activities:

  1. Detection escalation
  2. Notification
  3. Post breach response
  4. Lost business

Detection escalation

This process looks at the cost once a breach is discovered and includes activities like:

  • Forensics and investigation
  • Assessment and audit
  • Crisis management
  • Communication within the company


One a data breach is discovered, notification of affected subjects must take place. This includes:

  • Email, letters, calls and other correspondence sent out
  • Regulatory reporting of a breach
  • Communicating with regulators
  • Engagement of outside experts

Post Breach Response

Once notification has been made, then a series of responses must happen between the company breached and its victims and regulators. Activities such as:

  • Inbound communications
  • Credit monitoring
  • Identity protection
  • Legal expenditures
  • Product discounts
  • Regulatory fines (if applicable)

Lost business

This is perhaps one of the hardest part of a data breach to recover from is loss of business from the erosion of trust between a company and its customers due to a breach. This includes expenses such as:

  • Business disruption
  • Revenue loss
  • Cost of lost customers
  • Acquisition of new customers
  • Reputation loss

Global Costs

Of the 17 countries examined, the U.S. had highest total average data breach cost of $9.05 million. The other countries rounding out the top five countries with the highest breach costs were the Middle East, Canada, Germany and Japan. Brazil had the lowest data breach cost of the 17 countries at $1.08 million.

Globally, the report found that the average cost of a data breach was $4.24 million. That cost breaks down into the percentage in each category:

  • Detection escalation – 29.2%
  • Notification – 6.3%
  • Post breach response – 27.3%
  • Lost business – 37.5%

Note: Total is more than 100% due to rounding.

Costs varies by industry

Overall, the Institute found the cost of data breaches varied significantly by industry with healthcare being hit the hardest at $9.23 million – a 29.5% increase over 2020. The other industries rounding out the top five with the highest costs are:

  • Finance – $5.72 million
  • Pharmaceuticals – $5.04 million
  • Technology – $4.88 million
  • Energy – $4.65 million

Ironically energy actually dropped from 2nd place in 2020 to fifth in 2021 as the most targeted industry – a 27.2% decrease. Other industries seeing increased breach costs range from services at a low of 7.8% to media at a high of 92.1%. Other industries in-between include:

  • Communications
  • Consumer
  • Retail
  • Hospitality
  • Public sector

Next time we will look at the weakness and failure of areas within a company that allowed breaches to happen and what companies can do shore up these areas and reduce the chances of a breach in the future.

Related News

Kness retired in November 2007 as a Senior Noncommissioned Officer after serving 36 years of service with the Minnesota Army National Guard of which 32 of those years were in a full-time status along with being a traditional guardsman. Kness takes pride in being able to still help veterans, military members, and families as they struggle through veteran and dependent education issues.