The Cost of Data BreachesBy Corinne Bernstein | Posted 2009-04-10 Email Print
The costs run into the millions, and the price is going up.
The total cost to a company of recovering from a single data breach reached $6.6 million in 2008, an increase of 4.5 percent from the $6.3 million cost in 2007, according to a recent benchmark study conducted by the Ponemon Institute and sponsored by PGP Corp. Lost business accounted for nearly 70 percent of a data breach (compared with 65 percent in 2007), averaging $4.6 million.
The study examined costs at 43 organizations in 17 industry sectors. Breaches included in the survey ranged from fewer than 4,200 records to more than 113,000.
Increasing customer losses have contributed to the higher lost-business costs. Between 2005 and 2008, customer churn rates grew by $64 per victim—a 38 percent overall increase. The sectors suffering the highest customer losses were health care, with a 6.5 percent average churn rate, and financial services, with a 5.5 percent churn rate.
The biggest cause of breaches, according to the study, is insider negligence. More than 88 percent of all cases in 2008 involved incidents resulting from negligence. The per-victim cost for data breaches involving negligence amounted to $199 per record, versus $225 for malicious acts.
The number of breaches involving third-party organizations continues to climb. In 2008, 44 percent of respondents reported breaches caused by members of third parties, such as outsourcers, contractors, consultants and business partners, up from 40 percent in 2007.
Although consulting, legal defense and other costs rose as a result of data breaches, organizations are managing these breaches more cost-effectively, the study found. More than half the respondents said training and awareness programs are leading company efforts to prevent future breaches.
“Organizations are getting better at detecting breaches,” says the institute’s Larry Ponemon. “But to reduce the incidence of data breaches, they need to use better security technologies, such as encryption and identity access management, and they must provide more training to their employees.”