Data Breach Costs in Canada Among the Highest in the World – Ponemon Institute

Published on

August 30, 2018

Aug 2018 Charity & NFP Law Update

On July 11, 2018, the Ponemon Institute, LLC published the results of its annual study of the financial impact of data breaches on organizations in its 2018 Cost of a Data Breach Study: Global Overview (“Study”). The Study surveyed IT, data protection and compliance professionals in fifteen countries or regions whose organizations had experienced data breaches over the past year. According to the Study’s findings, the cost of data breaches on organizations’ bottom lines has continued to rise and more consumer records are lost or stolen every year.

In calculating costs to organizations, the Study broke the cost of a privacy breach into four cost centres: (1) costs related to detection, reporting and escalation of data breaches; (2) costs of notifying the individuals whose data was breached, notifying regulators and carrying out regulatory activities and communications; (3) costs of the post-breach response, including implementing processes to help individuals whose data was compromised and to pay for redress and reparations; and (4) the costs of lost business resulting from the data breach, such as business disruption, system downtime, customer “churn,” revenue losses and loss of reputation and goodwill.

The Study found that the average cost of a data breach has increased around the world, with the highest average per capita costs of a data breach being in the United States ($233 USD) and Canada ($202 USD). Canada had the highest direct costs per compromised record, at $81 USD per record, including expenses such as forensic expert costs, legal costs and identity protection services for victims. The United States had the highest indirect per capital cost of a data breach at $152 USD, such as the costs of using organizational resources for breach-related activities as well as the loss of goodwill and customer churn, with Canada in second place at $116 USD. It also found that criminal and malicious attacks cause the most data breaches, with organizations in the United States ($258 USD) and Canada ($213 USD) spending the most money to resolve malicious or criminal attacks on personal data. According to the Study, data breaches resulting from human error or system failure are less expensive to resolve.

The Study identified a number of factors that will affect the cost of a data breach. The top five cost-reducing factors include having an incident response team, extensive use of encryption, business community management involvement, employee training and participation in threat sharing. The top five cost-increasing factors include third-party involvement, extensive cloud migration, compliance failures, extensive use of mobile platforms and lost or stolen devices. Generally, the Study found that organizations that identified and contained data breaches more quickly were able to keep costs lower; costs for organizations that took over 100 days to do so were on average $1 million USD higher than those who took fewer than 100 days. The Study also identified a consistent relationship between the number of records lost and the cost of the data breach. The more records are lost, the higher the cost of the breach.

As data breaches can impact any organization, charities and not-for-profits should review the findings of the Study and of the potential costs to organizations for breaches of personal data. The Study serves as a reminder that the costs of data breaches can be extremely high and that charities and not-for-profits should adopt internal policies to prevent data breaches. Additionally, its outline of the factors that influence these costs may be a useful resource to guide charities and not-for-profits in implementing best practices to decrease costs when responding to data breaches.


Read the August 2018 Year Charity & NFP Law Update