In 2009, the cost of a data breach increased for the fifth straight year to $204 per compromised record, but a number of factors, including an increase in the use of data breach consulting services and the experience gained from handling previous breaches, are slowing expense increases, according to an annual study conducted by the Ponemon Institute LLC.
The Traverse City, Mich. -based research firm interviewed 45 companies, many of which had had multiple data breaches, and determined that the average annual data breach costs rose from 6.65 million in 2008 to $6.75 million in 2009. The "Fifth Annual U.S. Cost of Data Breach Study," funded in part by encryption vendor PGP Corp., determined the annual cost of a data breach by establishing a company's cost of lost business as a result of an incident, expenses incurred by notifying individuals and authorities of a breach, costs associated with legal fees and consulting firms, and new investments made in technology and employee education.
The most expensive data breach reported by one of the 45 firms in the study involved more than 100,000 customer records and cost $31 million to resolve.
"There's no real way to avoid a data breach; it's going to happen," said Larry Ponemon, chairman and founder of the institute. "The good news is that companies get better in handling a breach with experience and that results in lower costs."
About 82% of the firms interviewed in the Ponemon study reported more than one data breach. The experience gained through a previous breach helped firms better manage the fall out associated with a breach. The per victim cost for a first time data breach is $228 versus $198 for companies experiencing two or more incidents.
"Companies that have experienced a breach in the past take their time; they don't make abrupt decisions and they sometimes hire a consultant to help manage the response," Ponemon said.
Firms that notify potential victims quickly experience higher average data breach costs than those that move slower and determine exactly how many customers were affected.
Meanwhile, the study found that many of the breaches were associated with lost laptops and USB drives (40%), system errors and account statement mix-ups (36%) also contributed to company data breaches. Malicious attacks accounted for about 24% of the breaches, Ponemon said. But perhaps the biggest problem that contributes to data breaches is mistakes made by third-party vendors and company partners such as contractors and consultants, Ponemon said. Those errors were associated with breaches in 42% of the firms surveyed.
More money is being spent on legal defenses than ever before, Ponemon said. Despite many class-action lawsuits being thrown out of court, companies are hiring legal teams to fight the claims.
"All it takes is one court challenge to succeed to cause problems," Ponemon said.
The study found financial services, communications and healthcare firms experience the highest level of customer loss as a result of a breach. Ponemon said the industries rely on trust to maintain business and a breach contributes to an erosion of that trust. Retailers, energy and media companies with less direct consumer contact seem to experience a lower overall customer loss resulting in lower data breach costs. For example, the TJX Companies Inc., which experienced a massive breach at its T.J. Max and other retail locations in 2007, bounced right back in less than a year, posting consecutive profitable quarters through the global economic recession. The company held a customer appreciation day and relied on discounts to lure customers back.
"If handled properly companies will survive a breach," Ponemon said. "There's no excuse for not taking a defense-in-depth approach toward security and maintaining a secure environment; just because you will survive doesn't mean you'll want to go through the pain or put your customers through the aggravation of having a breach."