Data breach costs continue to rise in 2009, Ponemon study finds

By Robert Westervelt, News Editor 25 Jan 2010 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

In 2009, the cost of a data breach increased for the fifth straight year to $204 per compromised record, but a number of factors, including an increase in the use of data breach consulting services and the experience gained from handling previous breaches, are slowing expense increases, according to an annual study conducted by the Ponemon Institute LLC.

The Traverse City, Mich. -based research firm interviewed 45 companies, many of which had had multiple data breaches, and determined that the average annual data breach costs rose from 6.65 million in 2008 to $6.75 million in 2009. The "Fifth Annual U.S. Cost of Data Breach Study," funded in part by encryption vendor PGP Corp., determined the annual cost of a data breach by establishing a company's cost of lost business as a result of an incident, expenses incurred by notifying individuals and authorities of a breach, costs associated with legal fees and consulting firms, and new investments made in technology and employee education.

The most expensive data breach reported by one of the 45 firms in the study involved more than 100,000 customer records and cost $31 million to resolve.

"There's no real way to avoid a data breach; it's going to happen," said Larry Ponemon, chairman and founder of the institute. "The good news is that companies get better in handling a breach with experience and that results in lower costs."

About 82% of the firms interviewed in the Ponemon study reported more than one data breach. The experience gained through a previous breach helped firms better manage the fall out associated with a breach. The per victim cost for a first time data breach is $228 versus $198 for companies experiencing two or more incidents.

"Companies that have experienced a breach in the past take their time; they don't make abrupt decisions and they sometimes hire a consultant to help manage the response," Ponemon said.

Firms that notify potential victims quickly experience higher average data breach costs than those that move slower and determine exactly how many customers were affected.

Meanwhile, the study found that many of the breaches were associated with lost laptops and USB drives (40%), system errors and account statement mix-ups (36%) also contributed to company data breaches. Malicious attacks accounted for about 24% of the breaches, Ponemon said. But perhaps the biggest problem that contributes to data breaches is mistakes made by third-party vendors and company partners such as contractors and consultants, Ponemon said. Those errors were associated with breaches in 42% of the firms surveyed.

More money is being spent on legal defenses than ever before, Ponemon said. Despite many class-action lawsuits being thrown out of court, companies are hiring legal teams to fight the claims.

"All it takes is one court challenge to succeed to cause problems," Ponemon said.

The study found financial services, communications and healthcare firms experience the highest level of customer loss as a result of a breach. Ponemon said the industries rely on trust to maintain business and a breach contributes to an erosion of that trust. Retailers, energy and media companies with less direct consumer contact seem to experience a lower overall customer loss resulting in lower data breach costs. For example, the TJX Companies Inc., which experienced a massive breach at its T.J. Max and other retail locations in 2007, bounced right back in less than a year, posting consecutive profitable quarters through the global economic recession. The company held a customer appreciation day and relied on discounts to lure customers back.

"If handled properly companies will survive a breach," Ponemon said. "There's no excuse for not taking a defense-in-depth approach toward security and maintaining a secure environment; just because you will survive doesn't mean you'll want to go through the pain or put your customers through the aggravation of having a breach."

Tags: Data Breach Incident Management and Recovery,  Data Protection Solutions and Strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Breach Incident Management and Recovery Make PCI DSS compliance easier by reducing scope, outsourcing data Full disk encryption: Safer and easier than file and folder encryption PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds Jericho Forum to provide customers with good security questions to ask Verizon report goes deep inside data breach investigations Insider threat detection still a challenge for employers Layoffs prompt insider threat fears, cybersecurity survey finds ArcSight boosts system log management capabilities Four hackers indicted in RBS WorldPay breach Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Creating and enforcing a clear-desk policy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary