The cost of a data breach runs companies $202 per compromised record, up 2.5 percent from $197 per record in 2007 and up 11 percent from 2006, according to research from Ponemon Institute.
In its fourth annual study on data breaches, the Ponemon Institute, a security research firm, examined the costs of 43 companies that had been hit by a data breach. The study, sponsored by PGP Corp., comes up with the following conclusions, which were similar to those offered in the 2007 report.
- The cost of lost business was the biggest effect of a breach. Lost business accounts for 69 percent of data breach costs. In 2006, lost business was 54 percent of data breach costs. "The real punishment is brand diminishment," says Ponemon Institute Chairman Larry Ponemon. "In some cases a company is facing the loss of customer trust."
- Third party data breaches are increasing. Outsourcers, contractors, consultants and partners are increasingly losing data. Third party data breaches were reported by 44 percent of respondents. In 2005, third parties were responsible for 21 percent of breaches.
- Third party data breaches are also more expensive—$231 per compromised record.
- Data breaches experienced by so called first timers are more costly—$243 per victim. Experienced companies—repeat data screw-ups—have the costs down to $192.
- Unfortunately, more than 84 percent of all cases examined by Ponemon were repeat data breach offenders. On the bright side, 49 percent of respondents are creating additional manual procedures and control processes. I suppose the other 51 percent are waiting to get hit again before finding a clue.
- Healthcare and financial services companies lose the most customers after a data breach. The healthcare customer churn rate is 6.5 percent followed by financial services' 5.5 percent.
Here's the breakdown by industry:
Also notable: Retail breaches are relatively cheap:
- Fifty-three percent of respondents say that training and awareness programs prevent future breaches. Why? Humans inadvertently are the weakest link in the data breach equation. This was a common theme at the Wharton Information Security Best Practices conference last week. Indeed, 88 percent of all data breach cases involved negligence.
The data breach cost breakdown is also interesting. Audit, consulting and churn costs are going up. Other items are stable.
Overall, it's clear that more work needs to be done on data breaches. At the Wharton conference Friday, a bevy of legal types and chief privacy officers weren't sure where to start. Sure, there were some companies with detailed plans and procedures—Lexis-Nexis comes to mind—but that's because those firms were either hit with a breach or acquired a company that was (ChoicePoint in this instance). In the end, companies may not get the data breach prevention thing until they get hit.