Responding to a data breach is much more expensive today than it was a couple years ago, according to the latest survey conducted by the Elk Rapids, Mich.-based Ponemon Institute.
Its latest 2007 Cost of a Data Breach report shows a 43% rise in costs compared to 2005 as affected companies scrambled to notify customers, bring in investigators, invest in new security technology and respond to lawsuits.
The study found that the total average cost of a data breach grew to $197 per compromised record, an increase of 8% since 2006 and 43% compared to 2005. The average total cost per reporting company was more than $6.3 million per breach and ranged from $225,000 to almost $35 million.
After suffering a data breach, study participants said their companies expanded the use of encryption, invested in new data loss prevention and identity and access management products; and deployed new technology for endpoint security and perimeter control, and event management.
The study was sponsored by email and data encryption vendor PGP Corp. and data loss prevention vendor Vontu, Inc. It examined the financial consequences of data breaches involving consumers' personally identifiable information and focused on 35 data breach incidents in the U.S. involving as few as 4,000 records and as many as 125,000 records.
Other findings indicate that the cost of lost business continued to increase at more than 30%, averaging $4.1 million or $128 per compromised record. Lost business now accounts for 65% of data breach costs compared to 54% in the 2006 study.
Larry Ponemon, founder and chairman of the Ponemon Institute, said each security breach is different but that it all amounts to the loss of confidence and trust, which in turn means a loss of money. He used the massive security failure at Framingham, Mass.-based TJX Cos. Inc. and the recent compromise of 25 million records in the UK as examples of what's at stake.
"TJX initially underestimated what the cost of a data breach would be and the costs keep creeping up," he said, noting how TJX initially said it spent $25 million responding to the breach but later admitted the cost was closer to $256 million."The lesson they learned is that it's very costly because of litigation, the banks are also getting hurt and then there's the reputation damage. Some say the cost for them was negligible, but it's still pretty large."
The study also found that breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 40% of respondents, up from 29% in 2006 and 21% in 2005. Breaches by third parties were also more costly than breaches by the enterprise itself, averaging $231 compared to $171 per record.
Ponemon noted that it can be less costly dealing with the loss or theft of laptops and discs. [The 25 million UK records were stored on two discs that went missing.] Companies may be reluctant to spend money on security that could hamper the ability of employees to work remotely, but there are quick-and-dirty measures that can be taken, such as full-disc encryption on mobile devices, he said. Full-disc encryption makes it virtually impossible for someone to decipher the information, and having it puts companies in a better position to emerge unscathed from incidents where discs and laptops go missing, he said.
One thing is certain, Ponemon said. Data breach costs will continue to skyrocket unless companies do more to prevent them in the first place. He noted how, according to the latest tally from the Privacy Rights Clearinghouse, more than 216 million records have been compromised since early 2005.
"Companies continue to pretend data breaches won't happen to them. Crossing your fingers is not an acceptable security measure, yet that seems to be the prevailing attitude," he said.