A data breach can have a significant impact on an organization—and the costs associated with a breach continues to rise.

IBM and Ponemon Institute's 2024 Cost of a Data Breach Report contains research from interviews with over 3,500 cyber security and business leaders and studies of 604 organizations impacted by data breaches between March 2023 and February 2024. The report considers the experiences of organizations across 17 industries and in 16 countries and regions, involving breaches that ranged from 2,100 to 113,000 compromised records.

The report highlights the staggering financial costs of data breaches:

  • The average cost of a data breach was $4.88 million USD, a 10 per cent spike and the highest increase since the pandemic.
  • Lack of personnel with cyber skills corresponded to an average $1.76 million USD more in breach costs.
  • The industrial sector experienced the costliest increase of any industry, rising by an average $830,000 USD per breach over last year.
  • Malicious insider attacks resulted in the highest costs, averaging $4.99 million USD. Among other expensive attack vectors were business email compromise, phishing, social engineering and stolen or compromised credentials.

In this article, we consider some of the direct and indirect costs commonly associated with data breaches.

Direct costs

  1. Incident investigation: Responding to a data breach requires coordinated effort from various professionals, many of whom will be third-party consultants. This may include:
    • Incident response managers to oversee the investigation and response process.
    • Digital forensics experts to investigate the cause and scope of the breach, whether the threat actor exfiltrated data, and preservation of evidence for potential legal proceedings.
    • Cyber security consultants that will help restore the organization's technical infrastructure and provide services to strengthen security post-breach such as vulnerability assessments.
    • Legal counsel with expertise in data protection and compliance.
  2. Data recovery: Costs to recover and restore lost data or systems compromised by the breach.
  3. Ransoms: Businesses subject to a ransomware attack may elect to pay the ransom in exchange for the hopeful return of the compromised data or restoration of their systems. Ransom demands may vary according to the size of the organization. For example, smaller enterprises may face demands of $50,000 to $500,000, while larger enterprises or public bodies may face demands for millions of dollars.

    Please note that this decision requires significant analysis. An organization should only consider this option after receiving advice from its response team and legal advisors.

  4. Notification: There are significant costs associated with reviewing compromised data to evaluate whether the data contains:
    • Confidential information that requires the organization to notify third parties of a data breach pursuant to their contract terms (e.g., enterprise clients).
    • Personal information about individuals and, if so, whether the compromise of that data poses a real risk of significant harm thereby triggering notification requirements under many regulatory schemes. Notably, the Report indicates 46 per cent of all breaches studied involved customer personal information.

    In addition to these identification costs, the organization will then incur costs to notify affected clients, vendors, partners and regulators of the breach.

  5. Public relations management: Using public relations firms to manage the organization's reputation and communicate with affected stakeholders or the general public.
  6. Credit monitoring: Organizations affected by data breaches involving the compromise of personal information often offer free or discounted credit monitoring services to affected individuals.
  7. Increased staffing: For customer service and providing responses to breach inquiries.
  8. Compensation to affected parties: Settlements, refunds, credits, liquidated damages or other pecuniary remedies provided to victims of the breach.
  9. Regulatory fines and penalties: Fines for non-compliance with data protection laws like the GDPR or under Quebec's Law 25.
  10. Cyber security upgrades: Investments made in upgrading or implementing stronger security systems after the breach.

Indirect costs

  1. Operational downtime: Data breaches typically result in an organization taking its systems offline during breach containment and investigation, which causes loss of productivity due to disrupted operations. Employees responsible for breach response will also spend significant time responding to the breach, which detracts from their normal duties and may result in significant overtime costs.
  2. Loss of competitive advantage: May result if an organization's proprietary information (e.g., trade secrets) are compromised. Notably, the IBM report indicates 43 per cent of breaches studied involved intellectual property records.
  3. Reputational damage: Loss of prestige applies not only to customer bases but lenders, prospective talent and the general public.
  4. Customer loss / loss of funding: Due to loss of trust, resulting in decreased revenue.
  5. Protracted sales cycles: B2B sales cycles may lengthen as a result of increased scrutiny and due diligence in procurement. This can be particularly pronounced at the enterprise level.
  6. Marketing: Increased marketing and promotional expenses to regain public trust or attract new clients after customer loss.
  7. Insurance premiums: Higher premiums for cyber security insurance (or denial of coverage) as a result of the breach.
  8. Increased scrutiny: The lingering effects of a data breach may subject an organization to increased scrutiny from regulatory bodies (e.g., long-term monitoring, audits) or other stakeholders.
  9. Litigation: Potential regulatory proceedings and/or individual or class action lawsuits from affected parties or shareholders, all of which can take years to resolve.
  10. Value decline: Drop in company valuation and share value, especially for publicly-traded companies, after the business discloses news of the breach.

How to limit costs (and exposure)

Notwithstanding the significant costs associated with data breaches, there are tools organizations can implement to help reduce these potential costs.

Most importantly, this involves significant planning and training. Considerations may include strengthening your organization's existing cyber security measures as well as implementing a sound privacy and data protection program that addresses items such as retention and deletion of obsolete and irrelevant data.

Below are some helpful strategies identified in the IBM report:

  • Two out of three organizations studied stated they are deploying security AI and automation across their security operations center. When deployed extensively across prevention workflows, organizations averaged $2.2 million USD less in breach costs compared to those with no AI use. This finding was the largest cost savings in the 2024 Report.
  • Ransomware victims that involved law enforcement lowered the cost of the breach by an average of nearly $1 million USD, excluding the cost of any ransom paid. Involving law enforcement also shortened the time required to identify and contain breaches from 297 days to 281 days.

Your legal counsel can provide support as your organization develops its privacy, cyber, emergency preparedness and cyber incident response programs. To learn more, contact the author or a member of our Privacy & Cyber Security law team.