How not to handle a data breach

Press the panic button as soon as you find evidence customer data has been compromised, and you'll pay the price

Once a data breach is discovered, the best response is to spring into action and notify customers as fast as humanly possible, right? Well, not really.

A brand-new Ponemon Institute study [PDF] sponsored by Symantec finds that data breach victims often move too quickly, wasting lots of money and losing customers unnecessarily.

According to Ponemon's "Annual Study: U.S. Costs of a Data Breach," companies that respond to data breaches by immediately notifying their users end up spending 54 percent more per record than companies that move more slowly. Forty-three percent of surveyed companies notified customers within one month of discovering the breach, but these companies ended up with per record costs of $268, up 22 percent from 2009. Companies that took longer than a month spent only $174 per record, down 11 percent from 2009.

What's the explanation? It turns out that many companies tend to panic when they find a data breach, thanks to fears about lawsuits, regulatory fines, and bad publicity, and thus are not as prepared with the forensic tools and strategies as they should be. Their gut reaction is to get notification over with as fast as possible, so they end up notifying an excess of customers, including many of those who are unaffected by the breach. As a result, they end up shooting themselves in the foot. The biggest cost of data breaches is customer churn, according to the study, and many of these companies end up losing lots of customers that they didn't need to notify.

According to Ponemon, companies that take a more surgical approach and spend the time on forensics to detect which customers are actually at risk and require notification ultimately spend less on data breaches.

The study reported other findings on the state of network security:

Malicious or criminal attacks are the most expensive and are on the rise. In this year's study, 31 percent of all cases involved a malicious or criminal act, up seven points from 2009, and averaged $318 per record, up 43 percent from 2009.

In addition:

The cost of breaches by third-party outsourcers rose significantly, up $85 (39 percent) to $302 per record. These figures may indicate that compliance with government and commercial regulations for data protection are dramatically raising breach costs involving outsourced data.

The moral, as always, is be prepared. Have a strategy and tools in place to do the proper forensics, know your exact compliance requirements, and move quickly but cautiously to notify only those customers that are affected directly. In other words: Don't panic!

This story, "How not to handle a data breach," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies