The financial damage caused by a data breach has spiked by more than 6 percent since last year and now costs companies an average of $3.86 million each, according to a new study.

Companies are judged by both how they protect data and how they respond to a breach: “Failure to respond urgently, transparently, and with empathy can result in a near extinction-level event.”

Aside from expensive technical investigations and regulatory filings, a breach also includes hidden costs such as lost business, negative impact on reputation, and employee time spent on recovery, according to a new report by the Ponemon Institute.

The 2018 Cost of Data Breach Study, sponsored by IBM Security, found that the average cost for each lost record rose from $141 to $148, an increase of nearly 5 percent. Healthcare organizations had the highest costs associated with a lost or stolen record, at $408 — three times higher than average.

For the first time, this year’s study calculated the costs of a mega breach. IBM says there were 16 mega breaches last year, as compared to just nine in 2013. Not surprisingly, the bigger the breach, the higher the cost. The Ponemon Institute’s analysis of 11 mega breaches found:

  • The average cost of a breach involving 1 million records was nearly $40 million dollars.
  • The cost of a breach totaling 50 million records was estimated to be $350 million.
  • The average time to detect and contain a mega breach was 365 days — 99 days longer than a smaller breach (266 days).
  • Nearly all of these breaches (10 out of 11) resulted from malicious or criminal attacks, not system glitches or human error.

To prepare this report, the Ponemon Institute interviewed more than 2,000 IT, data protection, and compliance professionals from 477 companies in 15 countries that experienced a data breach over the past 12 months.

NBC NEWS | Herb Weisbaum