Cost of Data Breaches Continues to Rise

If you're looking for a way to justify an increase in your security budget, look no further than the sixth annual study of data breach incidents by The Ponemon Institute.  Its study shows that -- once again -- costs are on the rise. The in-depth examination of breaches at 51 U.S. enterprises in 15 different industries was conducted between March and December 2010.

Since 2006, total breach costs have grown every year, according to Ponemon’s 2010 Annual Study:U.S. Cost of a Data Breach. In 2010, the average cost was $7.2 million, up from $6.8 million in 2009. Companies spent $214 per compromised record on average, a rise of $10 per record (or 5 percent) from the previous year. Industry sectors suffering the highest per-record expenses were communications ($380), financials ($353), and pharmaceuticals ($345). Those suffering the smallest per-record costs were media ($131), education ($112), and the public sector ($81).

The study found that although companies prefer to act quickly (43 percent notified customer within a month of discovering a breach, up from 36 percent in 2009), it’s costing them more per record to do so than for companies that take longer to take action. “In 2010, quick responders had a per-record cost of $268, up $49 (22 percent) from $219 the year before. Companies that took longer paid $174 per record, down $22 (11 percent) from 2009.”

Quick action wasn’t the only characteristic that Ponemon noticed. Also rising this year: there were enterprises wth CISOs leading their data breach response, and more enterprises maintained an “above-average IT security posture.” The study concludes that “Taken together, these figures may indicate more organizations are taking more active steps to thwart hostile attacks.” The report says breaches from “systems failures, lost or stolen devices, and third-party mistakes” declined. “All these point to companies becoming more conscientious about preventing data breaches in the worsening threat environment.”

Ponemon reports that the cost of malicious or criminal attacks -- which accounted for nearly one-third (31 percent) of all breaches examined -- skyrocketed. “The 2010 cost per compromised record of a data breach involving a malicious or criminal act averaged $318, up $103 (48 percent) from 2009 and the highest of any data breach cause this year. The huge increases reinforce the extreme danger hostile breaches pose.” Such breaches occurrences rose 7 percentage points over 2009, which itself had double the number of breaches over 2008.

Negligence is still the most common threat, and it’s costing more. “The number of breaches attributed to negligence edged up a point to 41 percent. Breaches from negligence in 2010 averaged $196 per record, up $42 (27 percent) from 2009.” Ponemon says the relatively unchanged rate “may indicate that ensuring employee and partner compliance remains an ongoing challenge.”

Among the preventive actions the report recommends are automated enterprise data protection solutions which employ encryption (including protecting mobile devices), data loss prevention solutions, identity and access management products, and endpoint security tools.

Despite the downsides organizations may see in regulatory compliance, such efforts do lower churn rates, Ponemon says, by “boosting customer confidence in organizations’ IT security practices.”

The report examines a wide variety of business costs, such as those to detect, escalate, notify, and follow-up on breaches, as well as the “impact of lost or diminished customer trust and confidence as measured by customer turnover, or churn, rates.”

It doesn’t stop there: the study examines such direct costs as employing forensic experts, outsourcing hotline support, credit monitoring subscriptions for affected customers, and future product or service discounts -- as well as indirect costs such as in-house investigations and internal communication.

Churn, however, accounted for the greatest cost component. “For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in data breach cost.” Most post-breach churn rates remained at 4 percent, but those in the pharmaceutical and health-care industries lost 7 percent of their customers. Public-sector organizations suffered the least, with churn rates below 1 percent.

The study was conducted by The Ponemon Institute and sponsored by Symantec.

-- James E. Powell
Editorial Director, ESJ

Posted by Jim Powell on 03/08/2011