Research Limitations

Our study utilizes a confidential and proprietary benchmark method that has been successfully deployed in earlier research. However, there are inherent limitations with this benchmark research that need to be carefully considered before drawing conclusions from findings.

  • Our study draws upon a representative, non-statistical sample of global entities experiencing a breach involving the loss or theft of customer or consumer records during a period from July 2018 to April 2019. Statistical inferences, margins of error and confidence intervals cannot be applied to these data given that our sampling methods are not scientific.

  • The current findings are based on a small representative sample of benchmarks. In this global study, 507 companies completed the benchmark process. Non - response bias was not tested so it is possible that companies that did not participate are substantially different in terms of underlying data breach cost.

  • Because our sampling frame is judgmental, the quality of results is influenced by the degree to which the frame is representative of the population of companies being studied. It is our belief that the current sampling frame is biased toward companies with more mature privacy or information security programs.

  • The benchmark information is sensitive and confidential. Thus, the current instrument does not capture company - identifying information. It also allows individuals to use categorical response variables to disclose demographic information about the company and industry category

  • To keep the interview script concise and focused, we omitted other important variables from our analyses such as leading trends and organizational characteristics. The extent to which omitted variables might explain benchmark results cannot be determined.

  • The quality of benchmark research is based on the integrity of confidential responses provided by respondents in participating companies. While certain checks and balances can be incorporated into the benchmark process, it is always possible that respondents did not provide accurate or truthful responses. In addition, the use of cost extrapolation met hods rather than actual cost data may inadvertently introduce bias and inaccuracies.

  • This year , a strong U.S. dollar significantly influenced the global cost analysis. The conversion from local currencies to the U.S. dollar deflated the per record and average total cost estimates . For purposes of consistency with prior years, we decided to continue to use the same accounting method rather than adjust the cost. It is important to note that this issue only affects the global analysis because all country - level results are shown in local currencies.

If you have questions or comments about this research report or you would like to obtain additional copies of the document (including permission to quote or reuse this report), please contact by letter, phone call or email:

Ponemon Institute LLC
Attn: Research Department
2308 US 31 North
Traverse City, Michigan 49686 USA

The Cost of a Data Breach Report is sponsored, analyzed and reported by IBM Security. Previous years’ Cost of a Data Breach Reports are available at

Ponemon Institute LLC
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

About IBM Security

IBM Security offers one of the most advanced and integrated portfolios of enterprise security products and services. The portfolio, supported by world-renowned IBM X-Force research, provides security solutions to help organizations stop threats, prove compliance, and grow securely. IBM operates one of the broadest and deepest security research, development and delivery organizations. It monitors more than two trillion events per month in more than 130 countries and holds more than 3,000 security patents. To learn more, visit


  • The years referenced in this report are for the year of publication. The data breach incidents studied in the 2019 report occurred between July 2018 and April 2019
  • The research in the Cost of a Data Breach Report is conducted by the Ponemon Institute and results are sponsored, analyzed and reported by IBM Security. The study is based on a non-scientific sample of 507 companies. The key findings are based on IBM and Ponemon analysis of the data and do not necessarily apply to organizations outside of the group that was studied
  • Scandinavia is not included in this analysis because this is the first year this region is included.
  • The percentage change shown in Figure 9 is calculated from cost figures in local currencies rather than the U.S. dollar. Hence, this analysis is not influenced by currency gains or losses.
  • Negligent insiders are individuals who cause a data breach because of their carelessness, as determined in a post data breach investigation. Malicious attacks can be caused by hackers or criminal insiders (employees, contractors or other third parties).
  • The most common types of malicious or criminal attacks included malware infections, criminal insiders, phishing/social engineering and SQL injection.
  • Public sector organizations utilize a different customer turnover framework given that customers of government organizations typically do not have an alternative choice.
  • Estimated probabilities were captured from sample respondents using a point estimation technique. Key individuals such as the CISO or CPO who participated in cost assessment interviews provided their estimate of data breach likelihood for 10 levels of data breach incidents (ranging from 10,000 to 100,000 lost or stolen records). The time scale used in this estimation task was the forthcoming 24-month period after the interview. An aggregated probability distribution was extrapolated for each one of the 507 participating companies.