Study: Data-breach costs on the rise

Data breaches are on the rise in the business world. According to the Privacy Rights Clearinghouse, more than 330 data loss incidents involving more than 93 million individual records have occurred since February 2005.

As these incidents increase in number, so too do the associated expenses that companies end up paying for their negligence.

Data breaches have cost companies an average total of $4.7 million, or $182 per compromised record, in 2006, according the "2006 Cost of Data Breach Study" from Ponemon Institute. That's up from $138 per record last year.

Among the 31 companies that participated in the study, all of which suffered data security breaches, total costs per incident ranged from under $226,000 to over $22 million.

"The burden companies must bear as a result of a data breach are significant, making a strong case for more strategic investments in preventative measures such as encryption and data loss prevention," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, in a written statement. "Tough laws and intense public scrutiny mean the consequences of poor security are steep - and growing steeper for companies entrusted with managing stores of consumer data."

The report, slated for release on Monday, Sept. 23 at Infosecurity NY 2006, was co-sponsored by PGP, an enterprise data security and encryption provider, and Vontu, the data-loss prevention solutions vendor. (Notice a common thread between Ponemon's recommendation and the companies sponsoring the report? Still, I wouldn't discount these findings outright.)

About 70% of the costs per incident were "indirect," stemming from loss of existing and future customers, according to the report. Not surprisingly, people don't want to stick around after you've made them a target for identity theft.

The report breaks down the direct costs by various activities. Detection, discovery and escalation expenses, i.e. "activities necessary to discover and report the breach to appropriate personnel in a specified time period", averaged $295,475.

Notification costs, referring to the process of alerting "data subjects with a letter, outbound telephone call, e-mail or general notice, averaged $662,269.

Ex-post responses, the process of helping victims with information, recommendations, credit-report monitoring, or reissuing a new account or credit card, cost an average of $1,245,845.

What was to blame for these breaches?

  • Fourteen of them (45%) were a result of lost or stolen laptops, desktops, PDAs, or thumb drives.
  • In nine cases (29%) of the incidents, the cause was lost or stolen files acquired or used by a third-party.
  • In eight cases (26%), lost or stolen electronic backups (e.g. magnetic tapes) led to the data spill.
  • In four (13%) cases, the cause was lost or stolen paper records or files.
  • Three cases (10%) involved hacked electronic systems.
  • Malicious insiders were behind two cases (6%).
  • Malware was the culprit in two cases (6%).
  • In one case (3%), a misplaced network or enterprise storage device (due to a natural disaster) led to the breach.

Participants were also asked preventive measures they implemented after the breach. Their responses:

  • Thirteen (42%) have added additional manual procedures or controls.
  • Nine (29%) have implemented training and awareness programs.
  • Seven (23%) are encrypting data in motion.
  • Five (16%) are encrypting data at rest.
  • Four (13%) have installed information leak detection and prevention systems.
  • Three (10%) have deployed security event management systems.
  • Another three (10%) have put up additional perimeter controls.
  • Two (6%) have launched identity and access management systems.
  • Another two have conducted independent security audits.
  • Two companies have done nothing.
  • One company has stated encrypting data backups.

Copies of the "2006 Cost of a Data Breach Study" are available through PGP, Vontu, and The Ponemon Institute.

What do you find most striking about this studies findings -- if anything?