Regulations' Impact on Data Breach Costs

Analyzing Latest Ponemon/Symantec Cost of Data Breach Study

The 2013 Cost of Data Breach Study recently released by the Ponemon Institute and Symantec shows that organizations that have a chief information security officer have lower costs for each record breached than those who lack a CISO.

See Also: Cybersecurity, Digital Transformation and Resiliency - A Lesson for Financial Services Institutions

"The reason that the CISO exists really is to maintain a strong security posture, to put processes and systems in place to protect the data," says Robert Hamilton, Symantec's director of product marketing, who participated with Ponemon Institute's Larry Ponemon in an interview with Information Security Media Group (transcript below). "By having someone focused on that effort, you're naturally going to put systems and processes in place and see your cost per record [breached] fall."

(A chart in the transcript below shows how much organizations save in the cost for each record breached if they have a CISO.)

Aside from enlisting a CISO, organizations can work to lower the cost of data breaches by taking other key steps, says Ponemon, chairman of the market research and polling firm.

"Just being prepared, having an incident response plan in place, doing the manual low-tech things as well as having the right technology is very important," Ponemon says. "Vigilance is everything in this game."

In the interview, Ponemon and Hamilton analyze other findings from the 2013 Cost of Data Breach Study, including:

  • The overall cost of the average breach, by nation;
  • The average number of affected records for each breach, by nation;
  • Why regulation plays a factor in the cost of a data breach.

Ponemon in 2002 founded the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. He also is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute.

Since late 2008, Hamilton has been Symantec's director of product marketing, leading marketing teams for data loss prevention, encryption and user authentication.

Range of Breach Costs

ERIC CHABROW: This is the eighth year you've conducted the Cost of Data Breach survey. Is there anything in this new survey that surprises you?

LARRY PONEMON: Every year there are at least one or two surprises, and I think the biggest surprise for me is just the market variation across countries. We do nine country studies now, and if you kind of look at the range of cost, on the low end we see India and Brazil, and on the very high end we see Germany and the United States. We're not talking about pennies that differ apart; we're talking about big, big differences in cost. We have some theories behind it, but in general we think that's a very interesting finding. There are others as well.

CHABROW: What do you find as some of the theories?

PONEMON: One theory is that as organizations are more heavily regulated, the cost goes up initially, then tends to flatten out and actually starts to decrease. The most heavily regulated industries in data breach would include financial services and healthcare within countries like the United States and Germany. That may explain in part why the costs are so high. There's a second possibility and that is we find that the cost associated with malicious or criminal attacks are more expensive than data breaches resulting from negligence or system glitches, and we know ... data breaches that occur because of external attacks, hackers or malicious insiders are more likely to happen in places like Germany and the United States than in Brazil and India. I think those are some of the reasons why we think the cost differences are just so great.

CHABROW: Could there be a factor in that, in some of these more regulated countries, there's more value to the information that they have?

PONEMON: That's a good question. I don't think there's just one issue. I think it's probably a collection of factors. In some countries, like Germany for example, I think people care a lot about their privacy and, as a result, companies do more to preserve their trust than countries like Brazil and India. Not to pick on India and Brazil, because they're great countries, but maybe it's a less important kind of an element between consumers and companies.

Regulation's Impact

Around the Network