Cost Of Data Breaches Up Again, Ponemon Study Says

Everything's more expensive these days -- and experiencing a major corporate data breach is no exception.

The Ponemon Institute and Symantec earlier this week released the findings of the "2010 Annual Study: U.S. Cost of a Data Breach," which reveals data breaches grew more costly for the fifth year in a row.

The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009, according to the researchers.

"Every year I predict that the costs will go down, and every year, I'm wrong," quipped Larry Ponemon, founder of the Ponemon Institute. "We did see some leveling off last year, but the overall costs are still on the rise."

The sixth annual report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors.

Interestingly, companies that responded quickly to data breaches ended up paying 54 percent more per record than companies that moved more slowly, according to the study. Forty-three percent of companies notified victims within one month of discovering the breach, up seven points from 2009. In 2010, these quick responders had a per-record cost of $268, up 22 percent from 2009; companies that took longer paid $174 per record, down 11 percent.

Malicious or criminal attacks are the most expensive breaches, the study says, and are on the rise. In this year’s study, 31 percent of all cases involved a malicious or criminal act -- up seven points from 2009 --and the cost of these compromises averaged $318 per record, up 43 percent from 2009.

While external breaches are on the increase, negligence remains the most common threat, Ponemon says. The number of breaches caused by negligence edged up one point to 41 percent and averaged $196 per record, up 27 percent from 2009.

Companies are more vigilant about preventing system failures, according to the report. System failure dropped nine points to 27 percent in 2010. "This trend indicates organizations may be more conscientious in ensuring their systems can prevent and mitigate breaches through new security technologies and compliance with security policies and regulations," Ponemon says.

Encryption and other technologies are gaining ground as post-breach remedies, but training and awareness programs remain the most popular, the study says. Sixty-three percent of respondents use training and awareness programs after data breaches, down four points from 2009. Encryption is the second-most implemented preventive measure as a result of a data breach, with 61 percent. Both encryption and data loss prevention (DLP) solutions have increased 17 percent since 2008.

The study takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response. The study also analyzes the economic impact of lost or diminished customer trust and confidence as measured by customer churn or turnover rates.

"Churn is still the highest cost that we see," Ponemon said. "There's an attitude out there that users no longer care about their privacy as much, but our data shows that they really do."

The U.S. Cost of a Data Breach Study was derived from a detailed analysis of 51 data breach cases with a range of nearly 4,200 to 105,000 affected records. The study found there is a positive correlation between the number of records lost and the cost of an incident. Companies analyzed were from 15 different industries.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.