The 2009 Ponemon Institute benchmark study examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent cost estimates for activities resulting from actual data loss incidents.
Breaches included in the survey ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors.
What we learned from the 2009 results:
The total cost of a data breach rose to $204 from $202 per compromised record. According to participants in the 2009 study, data breaches cost their companies an average of $204 per compromised record – of which $144 pertains to indirect cost including abnormal turnover or churn of existing and future customers. Last year’s average per victim cost was $202 with an average indirect cost at $152 per breach victim. This year direct costs rose to $60 from $50 in 2008.
The cost of lost business decreased but ex-post response increased. In a dramatic reversal, ex-post response represented the largest increase in total cost. Last year, this cost category represented the largest decrease. One of the main reasons for an increase in ex-post response costs is due to the increase in legal defense cost.
Once again, this research finds organizations in highly trusted industries such as financial services and healthcare are more likely to experience a data breach with high abnormal churn rates. In contrast, retailers and companies with less direct consumer contact seem to experience a lower overall data breach cost. Other cost components of a data breach appear to have stabilized.
Data breach continues to be a very costly event for organizations. The average organizational cost of a data breach increased from to $6.65 million in the 2008 study to $6.75 million in 2009. The most expensive data breach event included in this year’s study cost a company nearly $31 million to resolve. The least expensive total cost of data breach for a company included in the study was $750,000. The magnitude of the breach event ranged from approximately 5,000 to approximately 101,000 lost or stolen records. As in prior years, data breach cost appears to be linearly related to the size or magnitude of the breach event.
Abnormal churn or turnover of customers resulting directly from the data breach incident appears to the main driver for data breach cost. In this year’s study, average abnormal churn rates across all 45 incidents is slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by the loss of customers who were directly affected by the data breach event. The industries with the highest churn rate are pharmaceuticals, communications and healthcare (all at 6 percent), followed by financial services and services (both at 5 percent). The industries with the lowest abnormal churn rates are manufacturing, energy and media (all at or below 1 percent), followed by technology and retail (both at 2 percent).
Forty-two percent of all cases in this year’s study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties, especially when the third party is offshore, were most costly. This could be due to additional investigation and consulting fees. The cost per compromised record for data breaches involving third parties was $217 versus $194, more than a $21 difference.
Twenty-four percent of all cases in this year’s study involved a malicious or criminal attack that resulted in the loss or theft of personal information. Research shows data breaches involving malicious or criminal acts are much more expensive than incidents resulting from negligence. Accordingly, in 2009 the cost per compromised record of a data breach involving a malicious or criminal act averaged $215. In contrast, the cost per compromised record of a data breach involving a negligent insider or a systems glitch averaged $154 and $166, respectively.
Thirty-six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study the per victim cost for a data breach involving a lost or stolen laptop was $225.
More than 82 percent of all cases in this year’s study involved organizations that had more than one data breach involving the loss or theft of more than 1,000 records containing personal information. Data breaches experienced by “first timers” are more expensive than those experienced by organizations that have had previous data breaches. The per victim cost for a first time data breach was $228 versus $198 for companies experiencing two or more incidents. This finding suggests companies that experience data breaches become more efficient at managing costs over time.
Training and awareness programs lead companies’ efforts to prevent future breaches, according to 67 percent of respondents. Other notable remediation procedures following the breach incident include: additional manual procedures and controls (58 percent), expanded use of encryption (58 percent), identity and access management solutions (49 percent), data loss prevention solutions (42 percent), and endpoint security solutions (36 percent). The presented 2009 findings suggest that remediation measures after the breach incident in all categories increased from 2008.
About 36 percent of participating companies notified victims within one month of discovering the data breach. Surprisingly, findings suggest that companies that execute notification quickly experience a higher average cost per compromised record than companies that move more slowly ($219 versus $196). Results suggest that moving too quickly through the data breach process may cause cost inefficiencies for the organization, especially during the detection, escalation and notification phases.
About 44 percent of participating companies engaged an outside consultant to assist them over the course of the data breach incident. Findings suggest that engaging a consultant or other third-party expert to assist in the data breach incident results in a lower average cost per compromised record. Specifically, those organizations that engaged a consultant experienced, on average, a per victim cost of $170, as opposed to $231 for companies that decided to go it alone.