Data-breach costs rising, study finds

In its study of 43 companies that suffered a data breach last year, the Ponemon Institute found the total cost of coping with the consequences rose to US$6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006.

The cost per compromised record in 2008 rose 2.5 per cent over the year before to $202 per record (all figures U.S.), according to the study being released Monday.

“Each company is like a case study,” says Larry Ponemon, head of the research group, noting that these 43 companies volunteered to participate in the study, which doesn’t reveal their names.

But the study, which was sponsored by security vendor PGP, makes some findings about these companies struggling with the fallout of a data-breach incident, which often is publicly reported due to state regulations requiring notification of individuals if their confidential personal data has been lost, stolen or compromised.

“For the majority of our companies, it was not their first time,” says Ponemon about the 43 U.S.-based companies in the 2008 data-breach study. “84% of the cases were repeat offenders, and only 16% were new.”

He adds the first-timers found a data breach to be more expensive. According to the study, the first-timers found themselves coughing up $243 per record, while for experienced companies, costs were held down to $192 per victim record.

There are some distinct consequences of a data breach, especially in healthcare and financial services, Ponemon notes. In these two industries more than others, customers notified of a data breach are more likely to discontinue association with companies that failed to secure sensitive data about them.

Despite headlines about lost and stolen data, “What continues to amaze me is that you’d think that people would be indifferent to a data-breach notification, but people continue to care a lot,” Ponemon said.

While the average customer “turnover” or “churn” due to a data breach was generally 3.6 per cent, in healthcare it was a much higher 6.5 per cent and in financial services 5.5 per cent. And the cost of a healthcare breach, at $282 per record, was more than twice as high as that of the average retail breach at $131 per record.

In other findings, the Ponemon study said 88% of all the cases for 2008 were traced back to insider negligence. The survey also showed that 44 per cent of data breaches occurred due to external causes involving third parties, an increase from 40 per cent in 2007 and 29 per cent in 2006, the Ponemon report states.

A third-party breach is defined as third-party professional services, outsourcers, vendors and business partners that were in possession of the data and responsible for holding it.

Costs for a data breach mount up because of lost business and legal defense, which grew in 2008, while costs of customer support, notification and free services such as credit monitoring decreased, according to the study.

The most-cited steps that companies took following a breach included training and awareness programs; more manual procedures and controls; expanded use of encryption; identity and access-management deployments; and data-loss prevention products.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now