Regulations' Impact on Data Breach Costs

Analyzing Latest Ponemon/Symantec Cost of Data Breach Study

By , June 11, 2013.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Regulations' Impact on Data Breach Costs
 

Listen Now

Read Transcript
Regulations initially cause organizations to spend more funds on data breaches, but eventually those rules could save enterprises money, the Ponemon Institute's Larry Ponemon says in analyzing his latest study on breach costs.

The 2013 Cost of Data Breach Study, which the institute conducted for IT security provider Symantec, pegs the average global cost of a data breach at $136 a record in 2012, up $6 from in 2011. The study estimated the breach cost per record in the United States averaged $188 in 2012, down from $194 in 2011. The study, issued earlier this month, says human errors and system problems caused about two-thirds of data breaches, and that contributed to the worldwide increase in costs.

In a joint interview with Information Security Media Group, Ponemon and Symantec's Robert Hamilton credit the decline in the U.S. data breach costs to U.S. enterprises having stronger security postures and incident response plans as well as more routinely employing chief information security officers, an idea not universally employed abroad.

Regarding government oversight, Ponemon and Hamilton say nations with more regulations, such as the United States and Germany, tend to have higher data breach costs, at least initially, than do countries with far fewer regulations, such as Brazil and India.

"Regulations always cost companies in the early stage because they have to change significantly their business process," says Ponemon, chairman of the market research and polling firm.

Initially, Ponemon says, regulations could create confusion within the enterprise as those charged with designing breach prevention and incident response plans try to figure out how to keep regulators happy. "We also know it helps an organization, from a structure point of view, that regulations like HIPAA and some of the financial-service regulations provide prescriptive guidance - steps that you can take. And as organizations learn to do this, they probably become even better and more efficient at managing the cost of the data breach," he says.

Healthcare and financial services companies maintain more personally identifiable information on their servers than enterprises in other sectors, so it's not surprising they have a higher per capita cost for each data breach than retailers and consumer products companies, the researcher says.

Hamilton points out healthcare data breach costs can be attributed, in part, to the large number of lost laptop computers that contain personally identifiable and other sensitive information.

In the interview, Ponemon and Hamilton analyze other study findings, including:

  • The value of a chief information security officer in holding down data breach costs. The following chart shows how much organizations save in the cost for each record breached if they have a CISO.
  • The overall cost of the average breach, by nation.
  • The average number of affected records for each breach, by nation.

Researchers, using a confidential and proprietary benchmark method, based their findings on an analysis of a survey of 277 companies from nine countries. Besides the United States, the countries in the study include Australia, Brazil, France, India, Italy, Japan, Germany and United Kingdom.

Ponemon in 2002 founded the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. He also is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute.

Since late 2008, Hamilton has served as director of product marketing, leading Symantec's marketing teams for data loss prevention, encryption and user authentication.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Regulator Criticized for Breach Response

Bankers are criticizing one federal regulatory agency for how it has responded to a breach of...

Latest Tweets and Mentions

ARTICLE Regulator Criticized for Breach Response

Bankers are criticizing one federal regulatory agency for how it has responded to a breach of...

The ISMG Network