Latest study shows data breach costs continue to rise

PGP Corp. and the Ponemon Institute announced results of the fourth annual U.S. Cost of a Data Breach Study.  According to the study which examined 43 organizations across 17 different industry sectors, data breach incidents cost U.S. companies $202 per compromised customer record in 2008, compared to $197 in 2007.  Within that number, the largest cost increase in 2008 concerns lost business created by abnormal churn, meaning turnover of customers.  Since the study’s inception in 2005, this cost component has grown by more than $64 on a per victim basis, nearly a 40% increase.
 
The annual U.S. Cost of Data Breach Study tracks a wide range of cost factors, including expensive outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. 

Other key findings from the study include the following:

  • Average total per-incident costs in 2008 were $6.65 million, compared to an average per-incident cost of $6.3 million in 2007.
  • Healthcare and financial services companies experienced the highest churn rate – 6.5 percent and 5.5 percent respectively, on a total average of 3.6 percent, which reflect the sensitivity of the data collected and the customer expectation that information will be protected.
  • Third-party organizations accounted for more than 44 percent of all cases in the 2008 study and are also the most costly form of data breaches due to additional investigation and consulting fees. 
  • More than 84 percent of 2008 cases involved organizations that had had more than one data breach in 2008 – meaning that companies are becoming more experienced in managing breaches over time.
  • More than 88% of all cases in this year’s study involved insider negligence.
  • More than half of respondents believe that training and awareness programs assist in preventing future breaches and 44 percent have expanded their use of encryption.
  • The most significant cost decrease was seen in activities relating to post-breach response, which indicates that organizations are becoming more cost effective in managing data breaches.

The U.S. Cost of a Data Breach Study was derived from a detailed analysis of 43 data breach cases with a range of 4,200 to 113,000 records that were affected.  The study found that there is a positive correlation between the number of records lost and the cost of an incident.  Companies analyzed were from 17 different industries, including financial, retail, healthcare, services, education, technology, manufacturing, transportation, consumer, hotels and leisure, entertainment, marketing, pharmaceutical, communications, research, energy and defense.

Don't miss