The Ponemon Institute's annual study of data loss costs this year looked at 51 organizations who agreed to discuss the impact of losing anywhere between 4,000 to 105,000 customer records. The private-sector firms participating in the Ponemon Institute's "2010 Annual Study: U.S. Cost of a Data Breach" hail from across various industries, including financial services, retail, pharmaceutical technology, and transportation.
Start counting: The Ponemon Institute's data-breach calculator
While "negligence" remains the main cause of a data breach (in 41 percent of cases), for the first time the explanation of "malicious or criminal attacks" (in 31 percent of cases) came in ahead of the third leading cause, "system failure."
It turns out "malicious or criminal attacks" are the most expensive type of data breach to discover and respond to, costing on average $318 per customer record, $151 more than non-malicious breaches that stem from negligence of system failure.
"It's harder to detect and do investigations," says Dr. Larry Ponemon, about cases involving malware and botnets or social engineering. He notes just two years ago, only 12 percent of data breaches were ascribed to malicious and criminal activity.
Negligence is still the leading cause of a data breach, however, and last year there were a couple of instances of data breaches that companies confided to Ponemon were due to mistakes made by their cloud-service providers. One financial-services company found itself having to report a data breach because its records were exposed on a shared virtual-machine server in a way that others using the cloud-based service could see, Ponemon notes. The financial-services firm found out about it because some of the other firms in the cloud environment directly told them.
Some industries last year saw higher costs per customer record in a data breach than others, with upward spikes. For instance, financial services jumped from $353 per customer record in 2010, up from $249 in 2009, and healthcare jumped from $345 last year from $301 in 2009. The communications sector had the highest cost of all, at $380 per customer record. Media, at $131, education at $112 and the public sector at $81, stood at the lowest.
Ponemon acknowledges it's hard to discern exactly why these sector cost differences exist. Trends show organizations with chief information security officers incur less costs when a data breach occurs. And companies coping with their first data breach — which were 20 percent of the study's participants — had the highest costs of anyone on average in the 2010 study, averaging $326 per compromised customer record, up 48 percent.