Banking

Study: Data breaches are getting more costly, repeat offenders abound

The cost of a data breach runs companies $202 per compromised record, up 2.5 percent from $197 per record in 2007 and up 11 percent from 2006, according to research from Ponemon Institute.

This is a guest post from Larry Dignan of TechRepublic's sister site ZDNet. You can follow Larry on his ZDNet blog Between the Lines, or subscribe to the RSS feed.

The cost of a data breach runs companies $202 per compromised record, up 2.5 percent from $197 per record in 2007 and up 11 percent from 2006, according to research from Ponemon Institute.

In its fourth annual study on data breaches, the Ponemon Institute, a security research firm, examined the costs of 43 companies that had been hit by a data breach. The study, sponsored by PGP Corp., comes up with the following conclusions, which were similar to those offered in the 2007 report.

  • The cost of lost business was the biggest effect of a breach. Lost business accounts for 69 percent of data breach costs. In 2006, lost business was 54 percent of data breach costs. "The real punishment is brand diminishment," says Ponemon Institute Chairman Larry Ponemon. "In some cases a company is facing the loss of customer trust."
  • Third party data breaches are increasing. Outsourcers, contractors, consultants and partners are increasingly losing data. Third party data breaches were reported by 44 percent of respondents. In 2005, third parties were responsible for 21 percent of breaches.
  • Third party data breaches are also more expensive--$231 per compromised record.
  • Data breaches experienced by so called first timers are more costly--$243 per victim. Experienced companies--repeat data screw-ups--have the costs down to $192.
  • Unfortunately, more than 84 percent of all cases examined by Ponemon were repeat data breach offenders. On the bright side, 49 percent of respondents are creating additional manual procedures and control processes. I suppose the other 51 percent are waiting to get hit again before finding a clue.
  • Healthcare and financial services companies lose the most customers after a data breach. The healthcare customer churn rate is 6.5 percent followed by financial services' 5.5 percent.

Here's the breakdown by industry:

Also notable: Retail breaches are relatively cheap:

  • Fifty-three percent of respondents say that training and awareness programs prevent future breaches. Why? Humans inadvertently are the weakest link in the data breach equation. This was a common theme at the Wharton Information Security Best Practices conference last week. Indeed, 88 percent of all data breach cases involved negligence.

The data breach cost breakdown is also interesting. Audit, consulting and churn costs are going up. Other items are stable.

Overall, it's clear that more work needs to be done on data breaches. At the Wharton conference Friday, a bevy of legal types and chief privacy officers weren't sure where to start. Sure, there were some companies with detailed plans and procedures--Lexis-Nexis comes to mind--but that's because those firms were either hit with a breach or acquired a company that was (ChoicePoint in this instance). In the end, companies may not get the data breach prevention thing until they get hit.

10 comments
jasonhiner
jasonhiner

Original post: http://blogs.techrepublic.com.com/hiner/?p=1001 Are you devoting more resources to security in your 2009 budget, or is it one of the items under pressure due to budget cuts?

Tony Hopkinson
Tony Hopkinson

Of course there could be improvements, and we make them in an ongoing improvment cycle. As much if not more through education as technology. In the more general picture, when all is said and done it's business. If it costs a ?100k, and if it happens and if you get found out and if you are deemed culpable, you may get your wrist slapped. Try and argue an investment business case for that in a thriving environment, never mind the nervous to 'Death Planet' we have now.

gadgetgirl
gadgetgirl

we need an offline conversation on data breaches.... from one who is fed up with investigating them. Awareness? Gettoff! They forget the whole thing as soon as they leave the presentation session because they ALL think it doesn't apply to them. Now, Jason - stop putting me on my soapbox. I'll only rant. Loud and long. GG

jasonhiner
jasonhiner

Absolutely. You know I'd love to hear it and maybe we could even work it into a guest post. E-mail me.

gadgetgirl
gadgetgirl

consider yourself emailed! :) GG

Neon Samurai
Neon Samurai

I also like the use of "offline" in the proper sense rather than in the "after the meeting is over" sense.

Neon Samurai
Neon Samurai

I'd heard it before, forgotten about the usage then was reminded yesterday by a friend. My response was "well, next time they get stuck on 'I'll ping mr X on that' ask if they mean UDP, TCP or ICMP or did they mean to locate a submerged object?" I'm pretty sure the speaker wouldn't get the joke but it would amuse me greatly if I could pull it off diplomatically. ;)

jasonhiner
jasonhiner

It's funny, but in the world of Internet startups, we've been using "Let's talk offline" as a metaphor for chatting after a meeting since about 2001. My other favorite is "Ping" as a metaphor for e-mail or IM, as in "Ping me when you're ready to launch the new widget."

robo_dev
robo_dev

Today's threat environment is not unlike the scenario in in 'The Matrix Reloaded' with the sentinels constantly trying to breach the hull with their laser weapons and destroy Zion....the 'hull' is the network perimeter, the sentinels are bots and malware.

Neon Samurai
Neon Samurai

My servers are constantly getting hammered by 222. and other source IPs. I got my first 221. from Japan yesterday but China and some other sources (from or routed thorugh) have been constant. It's a daily reminder to keep my servers locked down and not get complacent.