Data Breach Costs Rising

Survey Says Companies Pay Nearly $200 for Each Compromised Account The cost of a data breach has gone up to nearly $200 per compromised customer record. And if your third-party service provider loses your customer data, the cost to you is even higher.

These facts are among the findings of the ( 2007 Annual Study: Cost of a Data Breach ) released by the Ponemon Institute, a privacy and information management research firm.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Data breach incidents cost companies $197 per compromised customer record in 2007, compared to $182 in 2006, the survey finds. Lost business opportunity, including losses associated with customer churn and acquisition, represents the most significant component of the cost increase, rising from $98 in 2006 to $128 in 2007 â" a 30 percent increase.

"The data from 2007 suggests that although companies are responding to data breaches more efficiently, consumers seem to be less forgiving when their personal information is compromised,â" says Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "The bigger problem, however, remains the persistent underlying issue of data security. Of course, the easiest way for institutions to avoid the costs associated with a data breach would be to avoid a breach in the first place."

According to the Privacy Rights Clearinghouse, data loss incidents involving more than 215 million individual records have occurred since January 2005. The report focuses on the results of actual data breaches in 35 U.S. organizations across industries ranging from financial services to retail, health care, and software. Six financial institutions that experienced a data breach participated in the 2007 survey.

The annual Cost of a Data Breach study tracks a wide range of cost factors, including legal, investigative and administrative expenses, as well as customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Key findings include:

  • Average total per-incident costs in 2007 were $6.3 million, compared to an average per-incident cost of $4.8 million in 2006.
  • The cost of lost business increased by 30 percent to an average of $4.1 million in 2007, approximately two-thirds of the average total cost per incident.
  • Breaches by third-party organizations such as outsourcers, contractors, consultants and business partners were reported by 40 percent of respondents, up from 29 percent in 2006. Breaches by third parties were also more costly than breaches by the enterprise itself, averaging $231 compared to $171 per record.
  • Notification costs fell 40 percent, decreasing from $25 per customer in 2006 to $15 in 2007, suggesting a more measured, less reactive breach response.
The following six technology measures (in rank order) were enacted after a data breach:
  • Expanded use of encryption
  • Data loss prevention solutions
  • Identity and access management solutions
  • Endpoint security controls
  • Security event management solutions
  • Perimeter controls

The 2007 Annual Study: Cost of a Data Breach was derived from a detailed analysis of 35 data breach incidents involving fewer than 4,000 to more than 125,000 records. The study shows there is a positive correlation between the number of records lost and the cost of an incident. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation.

An earlier Ponemon survey, The 2007 Consumer Survey on Data Security, showed 62 percent of respondents have been notified that their confidential data has been lost, and 84 percent of those respondents report increased concern or anxiety due to data loss events.

"Our research clearly shows that data breaches are affecting consumers' trust in the organizations with which they share their data and, ultimately, their buying behavior," Ponemon says.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network