About the Report

Our research takes a variety of cost factors into account. By providing an overview of our methodology and by defining the factors and their weight and influence on our findings, we hope to help organizations make better decisions regarding resource allocation and to minimize financial consequences when the inevitable data breach strikes.

In this section of the report, we describe what factors we study that affect the cost of a data breach and provide answers to the most frequently asked questions about the study.

How we gathered the data

507 companies studied
3,211 individuals interviewed

For the 2019 Cost of a Data Breach Report, we recruited 507 organizations that have experienced a breach in the last year and interviewed more than 3,211 individuals who are knowledgeable about the data breach incident in these organizations. The first data points we collected from these organizations were the number of customer records lost or stolen in the breach and what percentage of their customer base was lost following the data breach.

In the course of our interviews, we also asked questions to determine what the organization spent on activities detecting the breach and the immediate response to the data breach, such as forensics and investigations, and those conducted in the aftermath of discovery, such as the notification of victims and legal fees. Other issues studied that influence the cost are the root causes of the data breach and the time to detect and contain the incident (the data breach lifecycle).

How the cost of a data breach is calculated

To calculate the cost of a data breach, we use an accounting method called activity-based costing (ABC). This method identifies activities and assigns a cost according to actual use. The ABC methodology is fully explained in the How We Calculate the Cost of a Data Breach section of this report.

Four process-related activities drive a range of expenditures associated with an organization’s data breach detection, escalation, notification and post data breach response. The four cost centers are described below.

For a more in-depth explanation of the methods used for this report, refer to the sections How We Calculate the Cost of a Data Breach, Organization Characteristics, and Research Limitations.

  • A data breach is defined as an event in which an individual’s name and a medical record and/or a financial record or debit card is potentially put at risk, either in electronic or paper format. In our study, we identified three main causes of a data breach: malicious or criminal attack, system glitch or human error. The costs of a data breach vary according to the cause and the safeguards in place at the time of the data breach.

  • We define a record as information that identifies the natural person (individual) whose information has been lost or stolen in a data breach. One example is a retail company’s database with an individual’s name associated with credit card information and other personally identifiable information. Another is a health insurer’s record of the policyholder with physician and payment information. In this year’s study, the average cost to the organization per compromised record was $150.

  • Our researchers collected in-depth qualitative data through more than 3,211 separate interviews conducted over a 7-month period with 507 companies. Recruiting organizations began in October 2018 and interviews were completed April 30, 2019. Breaches studied occurred between July 2018 and April 2019. In each of the 507 participating organizations, we spoke with IT, compliance and information security practitioners who are knowledgeable about their organization’s data breach and the costs associated with re solving the breach.

    For privacy purposes we did not collect organization-specific information. Only events directly relevant to the data breach experience are represented in this research. For example, an organization may decide to increase investments in cybersecurity due to new threats or regulations, but those investments do not directly affect the cost of a data breach as presented in this research.

  • To calculate the average cost of a data breach, we collected both the direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future product s and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates. For purposes of consistency with prior years, we use the same currency translation method rather than adjust accounting costs. This approach only affects the global analysis because all country-level results are shown in local currencies.

  • The unit of analysis in the Cost of a Data Breach Report is the organization. In survey research, the unit of analysis is the individual. We recruited 50 7 organizations to participate in this study. Data breaches range from a low of 2,000 compromised records to slightly more than 100,000 records.

  • The average cost of a data breach in our research does not apply to catastrophic mega data breaches, such as Equifax or Facebook. These are not the typical breaches many organizations experience. Hence, to draw useful conclusions in understanding data breach cost behaviors, we target data breach incidents that do not exceed 100,000 records. However, this year’s study presents an alternative framework for measuring the cost impact of breaches involving one million or more records (mega breaches).

  • The sample size of 14 companies experiencing a mega breach is too small to perform a statistically significant analysis using activity-based cost methods. To remedy this issue, we deploy Monte Carlo simulation. This analytic approach allows us to estimate a range of possible (random) outcomes through repeated trials. In total, we performed more than 150,000 trials. The grand mean of all sample means provides a most likely outcome at each size of data breach–ranging from 1 million to 50 million compromised records.

  • Each annual study involves a different sample of companies. Generally, we do not track the same sample of companies over time. However, for the 2019 report we looked at a sample of 86 companies that allowed us to look at the effects of a data b each over two or more years, enabling us to analyze those companies that took a long time to remediate the data breach and what the costs were. To be consistent, we recruit a sample of companies each year with a similar breakdown of characteristics such as the industry, headcount, geographic footprint and size of data breach. Since starting this research in 2005, we have studied the data breach experiences of 3,416 different organizations.