Average Cost of a Data Breach is $202 Per RecordAnnual Study Shows 2.3 % Increase Over 2007 The news of the Heartland Payment Systems (HPY) data breach gives new meaning to an annual study of what such a breach truly costs a business.
The average cost of a data breach was $202 per compromised record in 2008, according to the Ponemon Institute's Cost of Data Breach study. This represents a 2.3 percent increase from 2007, when a data breach cost an average of $197 per record. In 2006, the average cost was $182 per record.
The average total cost per reporting company was more than $6.6 million per breach, ranged from $613,000 to almost $32 million.
The study also shows that the cost of lost business continues to carry the highest impact, averaging $4.59 million, or $139 per record compromised, notes Larry Ponemon, chairman and founder of the Ponemon Institute. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007 and 54 percent in the 2006 study.
Third-party data breaches are on the increase, and they cost more. Breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 44 percent of respondents, up from 40 percent in 2007, 29 percent in 2006, 21 percent in 2005. Per victim cost for third party flubs is $52 higher, says Ponemon -- $231 compared to last year's $179.
The research firm's initial study established objective methods for quantifying specific activities that result in direct, indirect and opportunity costs from the loss or theft of personal information, thus requiring notification to breach victims as required by law or policy.
The study's current analysis of the actual data breach experiences of 43 U.S. companies from 17 different industry sectors takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after the fact (ex-post) response. "We also analyze the economic impact of lost or diminished customer trust and confidence, measured by customer churn or turnover rates," explains Ponemon. Breaches included in the survey ranged from less than 4,200 records to more than 113,000 records.
Utilizing activity-based costing, the study's methods captured information about direct expenses such as engaging forensic experts, outsourced hotline support, free credit monitoring subscriptions, and discounts for future products and services. The study also captured indirect costs such as in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished acquisition rates.
Regulations in 44 states, the District of Columbia, Puerto Rico and the Virgin Islands now require individuals, including customers, employees, citizens, students and alumni to be notified if their confidential or personal data has been lost, stolen, or compromised.