Home > Security News > Survey: Data breach costs surge
Security News:
EMAIL THIS LICENSING & REPRINTS

Survey: Data breach costs surge

By Robert Westervelt, News Editor
31 Oct 2006 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

The costs associated with high-profile data breaches are skyrocketing, according to a survey of companies that recently experienced customer data loss.

A breach may expose a flaw in implementation, or a hole that can be addressed through training, but not necessarily a need for new direct investments.
Larry Ponemon
chairman and founder, Ponemon Institute

Data breaches cost companies an average of $182 per compromised record, a 31% increase over 2005, according to the survey conducted by the Elk Rapids, Mich.-based Ponemon Institute.

Ponemon studied 31 companies that experienced a data breach. The total costs for each loss ranged from less than $1 million to more than $22 million, according to the 2006 findings.

Costs resulting from a data breach can include printing and postage of notification letters, hiring a law firm to address legal issues, offering credit monitoring subscriptions to customers, implementing a customer support hotline and contract call center, as well as customer defections.

IT had no direct costs other than to put subsequent preventa¬tive measures in place, the survey said. The costs were borne primarily by marketing to avoid customer turnover and customer support.

"IT costs tend to be made up front as a preventative measure, so the bulk of an organization's security needs and subsequent IT investment will, by necessity, already have been made," Larry Ponemon, founder and chairman of the Ponemon Institute, said in an email interview. "A breach may expose a flaw in implementation, or a hole that can be addressed through training, but not necessarily a need for new direct investments."

The study also uncovered a lack of appropriate planning for a data breach. IT executives or IT security officers were responsible for breach response in 53% of incidents, but one third of those surveyed said there was no single group responsible for a breach response.

More on data breaches:
Survey: Data breaches difficult to spot, prevent

The cost of privacy safeguards

Podcast: Larry Ponemon on data breaches

Privacy breaches: How to avoid making headlines

Giving notice: Victims lashing out at compromised companies

What keeps information security professionals up at night?

"A number of recent studies we've conducted have revealed an appalling lack of accountability where data protection and response is concerned," Ponemon said. "We believe assigning responsibility for security and response is an essential element to effective data protection."

In addition, more data may be at risk, as more companies contract with external partners, consultants, outsourcers or contractors. The survey found that almost 30% of all reported breaches originated with outside sources, such as contractors.

"It's difficult to compare right now as we've only been doing this analysis for two years, but it's safe to say that the more data travels, and the more people that have access to data, the more risk there is for exposure," Ponemon said. "It's not enough to assume a partner is doing the right thing. Companies have a responsibility to conduct due diligence with their partners and confirm they meet strict operational standards."

According to the study, regulations in more than half of all U.S. states require that customers be notified if their confidential or personal data has been lost, stolen, or compromised. The only "safe harbor" exception exempting organizations from the notification requirement is for data held in an encrypted form when lost.

The goal for many companies is to put data detection and encryption software in place to align information protection with corporate security policies and regulatory mandates, according to the study. Security best practices can be automatically enforced without relying on individuals to do so and without altering the network environment or email user behavior.

Companies should focus on preventing a breach and have a plan in place to reduce the cost of exposure if a breach takes place, as well as knowing what customers to notify so customers aren't over notified, said Steve Roop, vice president of products at San Francisco, Calif.-based Vontu Inc. Vontu cosponsored the report with Palo Alto, Calif.-based PGP Corp.

"It's all about risk mitigation and risk reduction," Roop said. "Technologies need to make end users more aware of security best practices, because employees need to know what the security policies of an organization are and if they are mishandling data."

Sound Off! -   Be the first to post a message to Sound Off!


Tags: Data Security Breach Laws and NotificationCreating and Managing Information Security PoliciesBudgeting for Information SecurityVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts