A new report finds that the average size of a data breach in the U.S. is 31,465 compromised records, and it takes 201 days on average to identify a breach is happening.

Data breaches are the most costly in the U.S., with more records containing personal information compromised in this country than anywhere else, according to the recently released report “2018 Cost of a Data Breach Study:  Global Overview” from IBM Security and the Ponemon Institute.

The global average cost of a data breach to a business is $3.86 million, and in the U.S. the average price tag swells to $7.91 million per breach, according to the report released in July 2018.

The report is based on interviews with 2,200 IT, data protection and compliance professionals from 477 companies that have had a data breach in the last 12 months. The results came from companies based in 15 countries, including 65 companies  in the U.S., and 7% of the 477 companies were retailers.

The report factored the following into the cost of a data breach:

  • Costs of discovery and response to data breach, such as forensics and investigation activities, audit services and crisis team management
  • Notification of victims, such as emails, letters and phone calls
  • Communication with regulators and engagement with outside experts
  • Issuing new accounts or credit cards
  • Product discounts, to appease shoppers after a breach
  • Increases in help desk communication
  • Legal fees
  • Fines
  • Fixing root causes of the data breach
  • Time to detect and contain the breach
  • Cost of business disruption and revenue loss from downtime
  • Cost of lost customers and acquiring new customers
  • Reputation losses and diminished good will

The $3.86 million global average cost of a breach is up 6.6% from $3.62 million in the 2017 report.

Globally, the companies reported that the average size of a data breach was 24,615 stolen records, and for U.S. companies, the average was higher with 31,465 compromised records per breach.

The bigger the breach, the more costly it is for a business, because of the added resources needed and the lost business cost, the report finds. A breach of 1 million records on average costs businesses $40 million compared with a breach of 50 million records, which costs $350 million.

Criminal attacks were the most common type of data breach internationally. The study found:

  • 48% of all breaches were caused by malicious or criminal attacks
  • 27% were human error/negligence among employees or contractors
  • 25% came from a system glitch

In the U.S., this breakdown was similar with 52% criminal, 25% human error and 23% system glitch.

What’s more, the global average cost per record to resolve the attack was the highest for criminal attacks:

  • $157 per record for criminal attacks
  • $131 per record for system glitches
  • $128 per record for human error or negligence

The global median time to identify a breach was 197 days, and the median time to contain it was 69 days. The U.S. is near these medians of 201 days to identify and 52 days to contain.

Finding and fixing the data breach varies globally based on what type of attack it is:

  • A malicious attack takes 221 days to identify and 81 days to contain, according to the global median
  • A system glitch 177 days to identify and 60 days to contain
  • A human error 174 days to identify and 57 days to contain

U.S. organizations pay the highest price for losing customers after a data breach, measured at $4.20 million in lost business per breach, which factors in abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished good will.

“U.S. companies have higher costs because customers have more options and their loyalty is harder to preserve,” according to the report. “With current notifications laws, customers have greater awareness of data breaches and have higher expectations regarding how companies should help them following the breach.”

Notification costs for a breach also are the highest in the U.S. at $740,000 on average. These costs include creating a contact database, determining all regulatory requirements, getting help from outside experts, postal feels for letter to consumers, email bounce-backs and inbound communication setups.