How much does a data breach cost in 2024?
The cost of data breaches is increasing rapidly. Learn how a potential cyber exposure could affect your business, and how to reduce the associated expenses.
Protect your business today!
Get a QuoteData breach costs have been on a steep upward trend, increasing by 10% in 2024 compared to 2023. The global cost of cybercrime is also spiking, estimated to surpass $9.5 trillion in damages in 2024. To put the rapidly rising cost of cyber threats into perspective, the annual cost was about $3 trillion in 2015.
Determining exactly how much a potential data breach could cost your business may be difficult, as every business and industry has unique exposures and risk factors. That said, it’s important to educate yourself and your staff on the different factors that affect the cost of data breaches so that you can do your best to minimize your risk.
In this article, we’ll discuss how much data breaches cost different business industries and take a look at some ways to reduce damages.
What constitutes a data breach?
Every security incident in which one person or system gains unauthorized access to another’s information is considered a data breach.
Both internal and external actors can be responsible for a data breach, and the breaches themselves don’t even have to be intentional in nature. In fact, according to Verizon’s 2023 Data Breach Investigation Report, up to 74% of all cyber incidents involve some sort of human error. This could include everything from falling for a phishing attempt or making a mistake that leads to a breach.
For example, an employee may accidentally send sensitive data to an incorrect email address, committing an accidental data breach. The same goes for an employee accessing confidential client or company data they are not authorized to view, regardless of whether they have done so intentionally or not.
According to the National Cybersecurity Center of Excellence, data exposures can fit within the following categories:
- Confidentiality breach: When an unauthorized inside or outside agent gains access to confidential data by accident. This frequently happens with data such as patient records. Confidential data can include information on customers, employees, or a business.
- Availability breach: When confidential data is either lost or destroyed following a cyberattack. This happens with ransomware, for example, when cybercriminals lock or encrypt certain blocks of data.
- Integrity breach: When an inside or outside actor alters confidential data on purpose or accidentally. It takes businesses a long time to notice this type of breach, as no data goes missing.
Depending on the situation, either one of these types of breaches can occur, individually or all at once.
Cost of a data breach in 2024
Data breaches are costing businesses more and more and can have severe financial repercussions and impact your business’ reputation. In 2024, the average global cost of a data breach was nearly $4.88 million, according to IBM’s 2024 Cost of a Data Breach report, which interviewed more than 600 organizations around the world. But don’t panic — this doesn’t necessarily mean that your business will automatically pay nearly $5 million in the event of a cyberattack. There are hundreds of factors that can affect the cost of a breach to your company, including your industry, location, scale of the breach, and the size of your organization, just to name a few.
Long tail vs. short tail costs of a data breach
Unfortunately, most data breaches are not simply solved after the initial incident, which means the costs will continue to add up over time. When your company faces a data breach, you’ll need to prepare for both the short tail (immediate) costs and the long tail (long-term) expenses. The initial short tail costs may be large, but long tail costs can accumulate significantly. Let’s take a closer look at the difference between the two.
Short tail costs
These are the immediate, upfront expenses that happen right after a breach is detected. If your company experiences a data breach, your immediate reaction will be to engage your cyber incident response plan, investigate the cause and scale of the breach, and notify any affected customers or shareholders. These expenses are generally incurred in the first few weeks and months after the data breach occurs. The possible costs may include:
- Fees paid to your legal counsel
- Regulatory fines
- Costs of notifying affected parties
- Settlement or court fees
- Costs for implementing your cyber incident response plan
Long tail costs
These are the more extended, ongoing costs that arise long after the initial breach response. Depending on the scale of the damage caused by the breach, long tail costs could potentially last years. Long tail costs of a data breach include:
- Long-term legal costs and lawsuits
- Operational downtime
- Improvements to your cyber security (training, new software, etc.)
- Recovering your damaged business reputation
Regulatory compliance fines and penalties for data breaches
One of the most significant cost factors of a data breach comes from regulatory fines and fees. In order to avoid significant fines for not complying with data protection laws, businesses all over the world need to abide by local data breach notification laws. These laws regulate timing requirements for informing the affected clients and the authorities. In the U.S., for example, the deadline for notifying the affected individuals differs from state to state. Each U.S. state has individual laws regulating data storage and timeframes for notifying affected parties after a breach.
The 2019 Data Breach Prevention and Compensation Act was created to uphold preventative measures. Additionally, the Office of Cybersecurity in the Department of Commerce was founded as a part of the Act at the Federal Commission, with the sole purpose of supervising data security.
In the European Union, the 2018 General Data Protection Regulation (GDPR) mandates a strict 72-hour notification rule. GDPR is also important for U.S. companies since it applies to any company that sells products or services on the EU market and not solely EU-based companies.
Data breach notification laws and regulations affect the cost of a data breach a great deal. For example, in Arizona, violations can have a penalty of $10,000 per resident, up to a maximum of $500,000. In Florida, companies may have to pay $1,000 for every day that a data breach goes undisclosed for the first 30 days and $50,000 for each subsequent 30-day period, up to a maximum penalty of $500,000.
Violating the EU’s GDPR laws can result in even more severe penalties. Severe penalties can result in fines of up to 20 million euros, while less severe infringements can bring about fines of up to 10 million euros.
Lawsuits and legal settlements
Another significant cost that your business may incur as a result of a data breach comes from lawsuits or settlements. If a customer or shareholder decides to sue your company for damages caused by a data breach, you may be required to pay settlement fees, court-ordered fines, and legal expenses for your legal counsel. There are quite a few reasons your company may be sued after a lawsuit, including negligence, breach of contract, and breach of fiduciary duty.
As you might expect, settlements and legal fees can range drastically depending on the scale and severity of the breach and the number of people affected. For example, in 2017, Equifax reported a data breach affecting nearly 150 million people, making it one of the biggest data breaches of all time. The company eventually settled to pay up to $700 million, $425 million of which will go directly to helping affected customers.
Reputational loss
Damage to a business’ reputation is an often forgotten cost of cyber incidents. A data breach can cause your customer base to lose trust in your company’s security and integrity. This can lead to significant revenue losses that could end up being even more costly than regulatory fines or legal fees. The average cost of reputation damage or loss of revenue due to a data breach in 2024 was $1.47 million.
Business interruption
Another common cost associated with data breaches is business interruption or system downtime. This occurs when your core operation systems are down while you deal with the data breach and stabilize your organization. Depending on the type of data breach or cyberattack, your systems could be down for a few minutes to a few months — the average system downtime from a ransomware attack is 24 days. According to a 2024 study, the average cost of system downtime for businesses is around $5,600 per minute. However, downtime can cost drastically more for larger high-risk industries such as healthcare, manufacturing, finance, and media, costing up to $5 million per hour in some cases.
Cost of data breaches by industry
Your business industry is one of the major factors that can affect the cost of a data breach. According to a 2024 study, the industries that are the most at risk of experiencing a costly data breach are healthcare, finance, pharmaceuticals, tech, energy, and professional services. The average cost of a data breach for each of these industries is significantly higher than the global average of $4.88 million.
While healthcare saw a decline of nearly $1 million in the average data breach cost from $10.93 million in 2023 to $9.77 million in 2024, the industry is still by far the costliest. On the other hand, the technology industry saw a 17% increase in a single year from $4.66 million in 2023 to $5.45 million in 2024.
Here is a breakdown of some of the costliest industries for data breaches in 2024:
| Industry | Average 2023 Breach Cost | Average 2024 Breach Cost | % Increase |
| Healthcare | $10.93 million | $9.77 million | -10.6% |
| Finance | $5.9 million | $6.08 million | +3% |
| Industrial | $4.73 million | $5.56 million | +17.5% |
| Technology | $4.66 million | $5.45 million | +17% |
| Energy | $4.78 million | $5.29 million | +10.7% |
| Pharmaceuticals | $4.82 million | $5.1 million | +5.1% |
| Professional services | $4.47 million | $5.08 million | +13.6% |
The type of data breach plays a role in the cost
As previously mentioned, the type of data that is breached holds some weight when determining the costs. Organizations have a wide variety of data to protect, ranging from credit card information to details from a person’s private life.
For example, a minor data breach in which an employee accidentally sends sensitive information to the wrong person or views a document they are not meant to see will be far less damaging and, therefore, less costly than a major data breach stemming from a malicious cyberattack.
If a hacker gains access to your system and steals the information of a large number of customers, the potential regulatory fines and “clean-up costs” are going to be much more than small-scale data breaches. We aren’t talking about minor differences either; the scale of a breach and the type of information that has been stolen can be the difference between millions of dollars in costs.
Data breach cost by country/region
Your company’s region also plays a major part in the overall cost of a data breach. For example, according to IBM’s report, in the U.S., data breaches are costing companies nearly twice the global average. However, in emerging markets like India and ASEAN, data breaches tend to cost much less.
Here is a breakdown of the average data breach costs in some major countries and regions around the globe:
- USA: $9.36 million
- The Middle East: $8.75 million
- Germany: $5.31 million
- Canada:$4.66 million
- United Kingdom: $4.53 million
- Latin America: $4.16 million
- ASEAN: $3.23 million
- Australia: $2.78 million
- South Africa: $2.78 million
- India: $2.35 million
How to reduce the cost of a data breach
While it is true that both the frequency and severity of data breaches have increased dramatically in recent years, there are quite a few things you can do to cut back the impact and reduce the cost of a breach.
Keep your cyber security software up to date
One of the best ways to reduce the cost of a breach is to ensure your security system is fully optimized and up-to-date. Introduce regular software updates, as legacy software is more susceptible to cyber-attacks. Ensure that your operating systems are always up-to-date and patch antivirus software, firewalls, and all third-party applications to address new vulnerabilities. We recommend implementing automatic updates where possible to reduce the risk of human oversight.
Respond efficiently
Working on faster response times when it comes to cyber exposures is also important. A working post-breach protocol will help you keep your cool following a cybersecurity incident and minimize the damages. A well-crafted cyber response plan can minimize the amount of time your system is compromised and significantly speed up your recovery time. While you will need to allocate resources to formulating an incident response plan, it is well worth it, as not having a proper plan can wreak havoc on your business.
Train employees
As mentioned above, the majority of data breaches start with some form of human element. A simple employee error can result in a costly breach. Many data breaches are completely avoidable, and with the right training program, you can reduce your risk of a data breach by up to 70%. Invest as much time and money as you can spare in employee cybersecurity awareness training. This will help you prevent data breaches and social engineering attacks like phishing.
Restrict access to sensitive data
Another way to reduce the impact and cost of a data breach in your company is to restrict sensitive data to only the absolutely essential employees. This creates segmentation within your system and prevents incidental unauthorized access to confidential data. For example, a finance team could be given access only to payment data, while marketing staff are limited to customer demographics. This segmentation ensures that your employees can perform their roles effectively without exposing unnecessary sensitive information.
Invest in cyber liability insurance
Invest in cyber liability insurance.
No contingency plan or prevention method can be 100% effective. Given the enormous potential cost of a data breach, most businesses should consider investing in a cyber insurance policy with a data breach inclusion. The right cyber insurance policy will allow you to transfer all data breach-related risks and costs to your insurer in return for a monthly fee or premium. A solid policy will provide two-sided coverage:
- First-party coverage: Your cyber insurance policy will cover any damage caused to your business and the cost of recovery from a security incident.
- Third-party coverage: The policy will provide defense costs and settlements if you’re held liable by your customers, partners, or other parties that have had their information leaked from your networks.