Cost of a Data Breach - Dr. Larry Ponemon, Ponemon Institute

New Ponemon Report Details Hard, Soft Costs

By , February 2, 2010.
Cost of a Data Breach - Dr. Larry Ponemon, Ponemon Institute


See Also: Rethinking Endpoint Security

hat's the cost of a data breach?

The Ponemon Institute is out with its 5th annual "Cost of a Data Breach" study, and in an exclusive interview Dr. Larry Ponemon discusses:

The current cost of a data breach - and how it's risen since 2009;
Data breach trends across industry;
What organizations should do to respond to or prevent breaches.

Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework.

Ponemon Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a various industries. In addition to Institute activities, Dr. Ponemon is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute. He is a Fellow of the Center for Government Innovation of the Unisys Corporation.

TOM FIELD: What is the cost of a data breach?

Hi, this is Tom Field, Editorial Director with Information Security Media Group. The long awaited Ponemon Report is out, talking about the latest breach statistics, and we are privileged to be speaking with Larry Poneman, the Chairman of Ponemon Institution.

Larry, thanks so much for joining me.

LARRY PONEMON: Well, thank you, Tom; it is a pleasure to be here.

FIELD: So. the report is just out; what would you say are the headlines from this latest annual report?

PONEMON: Oh gosh, well, probably the number one headline is that the cost of data breach is still significant. And why is that important? Every year we are surprised by the fact that the cost of data breach increases. A lot of people believe that over time the public is immune to all of this, and we have become complacent to data breach notifications -- that we really don't care much about companies losing their data. But that is not true. It seems that people, the public at large, we really care deeply about data breaches. We don't like them, and we don't want companies to lose their data, and we certainly don't want the cyber criminals to gain access to this information.

FIELD: Larry. is it too simplified to say what is the cost of a data breach this year, or can you give us a hard statistic on that?

PONEMON: Sure, let me give you a hard statistic. Last year the cost of data breach, as measured on a per compromised record basis (sometimes referred to as a "per victim cost") was $202 dollars, and this year it is a whopping $204 dollars. So that is actually a $2 dollar increase on a per compromised record basis, which by the way doesn't sound like much, but suppose you had a data breach that was 100,000 records? It would be a small fortune.

FIELD: What do you find to be the biggest changes this year since the previous year's report?

PONEMON: Well, the biggest change this year -- there are actually several. Number one, the cost categories that the proportion of costs against different activities that we measure basically stayed pretty constant, but there were really some notable exceptions to that. One notable exception was the legal defense cost category. Usually that is not a large cost for an organization based on a whole bunch of factors, but this year that legal defense cost increased by more than 50 percent.

We think that is kind of an indicator, maybe a leading indicator, that companies are starting to recognize that the possibility, the real possibility that they might someday face a very expensive litigation, maybe even a class action litigation. Interestingly about that cost category, the legal defense category, it was across our whole sample. So it was in financial services, telecom, the retail industry sector and so forth.

FIELD: Larry, beyond the hard costs to an organization, what are breaches costing in terms of some of the soft costs?

PONEMON: Well, one of the soft costs -- and even though we call it soft, it is a real cost to an organization -- is the brand impact. An organization that has a data breach, unfortunately it is a bad fact, people care deeply about it, and it affects the hard-earned reputation of organizations. Now while it is a soft cost, it could be enormously expensive for an organization to have to get back to where they were; so that is number one.

Follow Tom Field on Twitter: @SecurityEditor

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE eBay Breach-Related Lawsuit Dismissed

A federal judge has dismissed a class action lawsuit filed against eBay in the wake of a 2014 data...

Latest Tweets and Mentions

ARTICLE eBay Breach-Related Lawsuit Dismissed

A federal judge has dismissed a class action lawsuit filed against eBay in the wake of a 2014 data...

The ISMG Network