The average cost of a data breach globally stood at USD 3.43 million last year, the equivalent of USD 142 per compromised customer record, according to research from the Ponemon Institute.
Costs varied dramatically between regions, from USD 204 per lost record in the U.S., down to USD 98 per record in the UK. A total of 133 organizations, located in five countries – Australia, France, Germany, UK and U.S. – participated in the research, which was undertaken during 2009.
The report shows that costs incurred in countries with data breach notification laws were significantly higher than in countries where no such legislation exists. For example, in the U.S., where 46 states have now introduced laws forcing organizations to publicly disclose the details of breach incidents, the cost per lost record was 43 percent higher than the global average.
In Germany, where equivalent laws were passed July 2009, costs were second highest; 25 percent above the worldwide average. In Australia, France and the UK, where data breach notification laws have not yet been introduced, costs were all below the average.
In the UK, where only public sector and financial organizations currently face regulatory pressure to disclose breaches, costs were lowest: 45% below the global average, and equating to less than half the expense incurred by U.S. firms.
Almost half (44 percent) of the incurred data loss expenses related to the cost of lost business, reflecting the added expense of consumer churn and the increased difficulty of attracting new customers in the wake of negative publicity. Again, costs varied dramatically between countries and were highest in the U.S., where the cost of lost business was on average equivalent to 66 percent of overall expenses.
The cost of detecting and escalating a breach were particularly high in Germany (USD 52 per lost record), reflecting the investment required in new technologies and processes in order to comply with the country’s recent notification legislation. In the U.S., where laws were first enforced in 2005, these costs were small by comparison (USD 8) and have decreased over recent years, suggesting that American organizations have developed more efficient detection and escalation processes over time.
French, Australian and UK firms should expect their costs to follow the same trend, initially rising in order to ensure compliance with emerging regulations and then declining once processes become more refined.
When a third party was responsible for the data loss incident, costs rose in all countries, reflecting the additional forensics and investigations required to detect and remediate the breach. However, the financial impact of third party mistakes varied greatly across the world, causing costs to rise by just 12 percent in the U.S., up to a staggering 116 percent in France.
Organizations suffering a data loss incident as a result of malicious or criminal activities also incurred higher costs, with French companies once again experiencing the greatest negative impact. With malicious attacks on the rise across all countries, and accounting for between 24 and 54 percent of incidents, organizations should take a more proactive approach to protecting their data from theft in order to reduce costs.
Where the organization’s chief information security officer or equivalent took personal responsibility for managing the breach, costs fell in all five countries. However, CISO-managed events only occur in a minority of cases, with the majority of organizations either not employing a CISO, or not making them directly responsible for data breach incidents.