Sunday, March 20, 2011

Fixing Data Breaches: Tracking the Cost and Damage Toll


The average cost of a data breach keeps going up for the organizations that have to clean up the resulting mess. The costs rose to more than $7 million in 2010, compared with $6 million in 2009. There are other factors in place that can make the data breach more expensive, such as rate of response (apparently slow is better), number of compromised records (size matters), industry sector (communications, financial and pharmaceuticals), type of breach (criminals are expensive) and whether it was the first time. According to Ponemon Institute's sixth "Annual Study: U.S. Costs of a Data Breach," companies are moving faster to notify affected users, which in turn makes customers more nervous and often prompts them to leave. What's worse, responding quickly means organizations are likely to rush through the investigation and over-notify to be on the safe side, which will cause even more customers to panic and leave. Organizations should be prepared with a strategy and proper forensics tools to conduct a thorough investigation, know the exact compliance requirements, and resist the urge to err on the side of caution. Know the extent of the breach before taking action, the study recommends. The following are some numbers from the Ponemon Institute study about data breaches in 2010.

Total Cost: $7.2 Million

The total cost of a data breach has gone up 7 percent to $7.2 million. This includes cost of investigating and resolving the breach, notifying affected individuals, covering remedies such as credit protection services, and paying fines in a regulatory environment.


Per-Record Cost: $268 vs. $174

Speed apparently doesn't pay, not when it comes to data breaches. Companies that responded rapidly to a breach paid $268 per compromised record, as compared with companies that moved slower, which paid $174 per compromised record.


Cybercrime: 31 Percent and $318

For the first time since Ponemon Institute started the survey, malicious or criminal attacks were the most expensive cause of data breaches, accounting for 31 percent of all data breaches in 2010. Breaches that were the result of a malicious or criminal attack cost an average of $318 per compromised record.


Lost Business: $4.5 Million

The cost of lost business, such as lost sales as customers leave or lost productivity because employees were distracted or diverted from regular tasks, stayed relatively the same, at $4.5 million. However, it accounted for a smaller proportion of total breach costs, at 63 percent of total cost in 2010 compared with 69 percent in 2008.


Costliest Breach: $35.3 Million

The most expensive data breach included in this year's study cost a company $35.3 million to resolve, compared with the least expensive, which cost $780,000. The cost of the data breach is directly proportional to number of records compromised.


Customer Turnover: 4 Percent

Customers tend to leave after a data breach because they are leery of the company's IT security. Abnormal churn rates stayed at 4 percent, although pharmaceuticals and health care (both heavily regulated) inched up to 7 percent turnover. Public sector organizations had less than 1 percent churn rate.


Most Frequent Cause of Breaches: Negligence, 41 Percent

Negligence remains the most common reason for a data breach, accounting for 41 percent of the surveyed breaches. Third-party breaches, such as business partners and cloud service providers, accounted for 39 percent.


Cost to First Timers: $326 Per Record

Companies that had never had a data breach before paid the highest average costs. An organization's first data breach averaged $326 per compromised record.


Cost of Detection: $455,000

Organizations spent more to become more proactive in detecting and remediating data breaches in 2010. On average, detection and escalation activities cost $455,000, up 72 percent from 2009.


Compromised Records: 4,200 to 105,000

The "2010 Cost of a Data Breach" study examined 51 organizations that experienced a data breach across 15 industry sectors. The breaches in the study ranged from 4,200 records to 105,000 compromised records.