The average organizational cost of a data breach rose to $7.2 million in 2010, costing companies an average of $214 per compromised record, an increase of 5% over the 2009 study, according to the new report "The 2010 Annual Study: U.S. Cost of a Data Breach" (PDF). The study, in its fifth year, was underwritten by Symantec Corp.
The Ponemon study estimated the costs after analyzing the data breach experiences of 51 U.S. companies. Breaches in the study ranged from nearly 4,200 records to 105,000 records. The research firm said the findings can be applied to U.S. organizations that experience large data breaches between 1,000 and 100,000 compromised records.
The study marks the fifth year in a row that costs associated with a data breach have risen. The most expensive data breach included in the 2010 study cost a company $35.3 million to resolve, up $4.8 million (15%) from last year.
Organizations that rush to notify victims end up paying more in costs, according to the report. Forty-three percent of companies notified victims within one month of discovering the data breach. In 2010, quick responders had a per-record cost of $268, up $49 (22%) from $219 the year before. Companies that took longer paid $174 per record, down $22 (11%) from 2009.
"The notable increase in companies responding quickly to breaches, despite the additional cost, may reflect pressure companies feel to comply with commercial regulations and state and federal data protection laws. We will closely watch this issue in future reports," according to the report.
The report also found malicious attacks causing the most costly data breaches, mirroring a trend noted in the 2010 Verizon data breach report which showed cases of malicious insiders on the rise. Nearly a third (31%) of all cases studied by Ponemon involved a malicious or criminal attack, an increase of 7 points from 2009 after having doubled the year before. Ponemon said it marks the first time malicious attacks were not the least common cause for breaches. The 2010 cost per compromised record of a data breach involving a malicious or criminal act averaged $318, up $103 (48%) from 2009 and the highest of any data breach cause this year.
Ponemon said the most costly part of a data breach is customer turnover, a direct response to most breaches. In addition, companies often invest in training and awareness programs followed by encryption deployments.
Breaches by third-party outsourcers is declining, according to the study, but the cost of those breaches is increasing. The cost of such breaches rose significantly, up $85 (39%) to $302 per record. Ponemon said governmental and commercial regulations for data protection may play a role in driving up the cost of breaches involving outsourced data.
In addition, lost or stolen laptops or mobile devices remain a consistent and expensive threat. The cost is significant, Ponemon said, rising 15% to $258 per compromised record. Costs are typically associated with the difficulty of forensics and investigating lost or stolen devices.