The 2013 Cost of Data Breach Study, issued today by the Ponemon Institute, shows perhaps most clearly that one...
way to keep data breach losses low is to tell as few people as possible about your organization's mishaps.
The study, sponsored by Symantec, found that the cost per lost record in an average breach incident increased modestly, from $130 to $136. Germany and U.S. organizations had the highest costs, $199 and $188, respectively. This was the first year when the U.S. per-record cost wasn't the highest.
The eighth annual global report is based on the actual data breach experiences of 277 companies in nine countries including the U.S., United Kingdom, France, Germany, Italy, India, Japan, Australia and Brazil. All of the data breach incidents studied in the reports occurred in the 2012 calendar year.
The study notes that several attributes correlate to lower per-record losses. U.S. and U.K. companies managed to realize the greatest reduction in data breach costs by having a strong security posture, incident response plan and a CISO in place. The U.S. and France had the greatest cost reduction from the engagement of consultants to support data breach remediation.
But in discussing the results, Larry Ponemon, chair and founder of the Traverse City, Mich.-based Ponemon Institute and director of the study, suggested that the biggest factor affecting breach cost was how many people were informed.
"Organizations saw early on, in the early stages of state breach notification laws, that when they had to notify a lot of people of a breach, it did a lot of damage to their brand," Ponemon said, noting that companies, when faced with uncertainty about how many records were breached, often notify the largest possible number. While they may be trying to do the right thing or staying on the safe side of the sometimes ambiguous requirements in compliance requirements, this "over notification" is expensive, because notified customers act as if their data was breached, whether it actually was or not.
The notification logistics all by themselves come at significant cost. The report notes that typical notification costs include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts and other efforts to make sure victims are alerted to the fact that their personal information has been compromised. U.S. and Germany organizations on average spent the most ($565,020 and $353,927, respectively). Brazil and India spent the least amount on notification ($53,063 and $22,232, respectively).
Whether notification losses were high or low, the larger part of the loss in most countries was due to indirect cost. Ponemon said, "Direct costs are easier to collect because normally you can associate them with some kind of out-of-pocket expenditure." Indirect cost, Ponemon added, "is basically the cost of consequence, but it's harder to measure."
In the U.S., the report says indirect costs accounted for 68% of losses, with the rest covering direct losses. The average indirect cost for lost business in the U.S. was $3,030,814 (out of an average total loss of $5,403,644). By way of contrast, in Brazil indirect costs were only 41% of the average loss. Globally, overall direct costs were 47% and overall indirect costs were 53%. Ponemon estimates the lost business based on any observed higher-than-average turnover rate and on lower-than-expect new customer acquisition rates.
Report results showed that, on average, Australian and U.S. companies had data breaches that resulted in the greatest number of exposed or compromised records (34,249 and 28,765 records, respectively). On average, Italian and Japanese companies had the smallest number of breached records (18,285 and 18,237 records, respectively). The study explicitly does not include breaches larger than 10,000 records, said Ponemon, "because they are not representative of most data breaches and to include them in the study would skew the results."
"Our model doesn't really deal with these kinds of outliers," said Ponemon. Huge numbers of lost records mean that "the unit cost is completely different"; the per-record cost drops "big-time."
While one-third of breaches are due to errors made within organizations, the third of breaches caused by malicious or criminal attacks were the most expensive in all nine countries. U.S. and German companies experienced the most expensive data breach incidents, costing $277 and $214 per compromised record, respectively. Brazil and India had the least costly data breach caused by malicious or criminal attackers at $71 and $46 per record, respectively.
"If there's one surprise," said Ponemon, "it's definitely the country variation." But, Ponemon notes, Brazil and India have either no or very lax requirements for breach notification. Whatever the reasons, both countries enjoyed the lowest estimates of the cost of lost business and, relatedly, the lowest "abnormal churn rate." In India, the rate of customer churn beyond what was expected (and therefore presumably attributable to the breach incident) was 2.7%. Brazil's rate was 2.4%. Lower abnormal churn, the study posited, results in lower losses of future business.
Not all studies view the effect of a breach on future business in the same light, however. Lawrence A. Gordon, Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland's Smith School of Business, said that "it is difficult to estimate the indirect costs associated with cybersecurity breaches," and that "the biggest part of that difficulty has to do with the implicit (as contrasted with the explicit) costs associated with potential lost customers, and potential liabilities, that result from cybersecurity breaches. In fact, that is why we did a study back in 2003 looking at the impact of such breaches on the stock market returns of firms." The study's premise was that stock market returns are probably the best way to capture the implicit costs, insofar as investors figure those future costs into their estimate of the company's value.
Gordon and two collaborators published a follow-on to that initial study in 2011, with findings that suggested that "in recent years average information security breaches have become less costly." The study -- appearing in the print-only Journal of Computer Security and titled "The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?" -- noted a change among investors "toward viewing information security breaches as creating a corporate 'nuisance' (or merely another recurring operating cost) rather than creating a potentially serious economic threat to the survival of firms."