According to a study by the Ponemon Institute on the costs of data breaches involving 11 countries, the average organizational cost of a data breach in 2015 was $3.79M, averaging $154 per exposed record. In Canada, the average cost per data breach reached $6.03M in 2016, up from $5.32M in 2015. The average organizational cost per exposed record increased from $250 in 2015 to $278 in 2016. The average number of records exposed in a data breach in Canada was 20,456.
What is a data breach?
A data breach is defined as an event in which an individual’s name plus an identifiable record, either in electronic or paper format, is potentially exposed. There are three main causes of a data breach: malicious or criminal attack, system glitch and human error.
What is a compromised record?
A compromised record is information that identifies the individual whose information has been lost or stolen in a data breach. Examples can include a client file containing personally identifiable information, in either electronic or paper format.
Government of Canada moves to impose Mandatory Notification Requirements
In June 2015, the government of Canada passed The Digital Privacy Act, amending provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), imposing mandatory requirements for organizations to notify both affected individuals and the Privacy Commissioner of Canada when breaches of private data occur. In addition to reporting the extend of the data breach to government and affected individuals, the amendments require reporting to credit bureaus and other interested organizations in situations where doing so would reduce the harm to the affected individuals.
For most organizations, the introduction of mandatory notification requirements will expose them to new costs and organizational challenges as the need for enhanced cyber security, incident response and employee training around data breach becomes a priority.
Given the staggering statistics, few companies can absorb the financial costs of a large scale data breach on their own; one possible solution to manage this exposure is to procure cyber liability insurance.
Cyber Liability Insurance
Cyber liability insurance policies can take many shapes; the structure of the policy will depend on the needs of the insured organization and may include notification costs of affected parties, credit monitoring, indemnification for loss of data, cyber extortion expense and business interruption loss. In addition, some cyber liability policies cover the financial losses of an affected third party and legal expenses to defend actions alleging negligence in the handling of personal information and ineffective network security.