The annual Cost of Data Breach survey conducted by the Traverse City, MI-based Ponemon Institute and funded by encryption vendor PGP Corp. found the total average costs associated with data breaches rose slightly since 2007.
The fourth annual U.S. Cost of a Data Breach Study (registration required) surveyed 43 firms that experienced a data breach and asked them to give estimates for their expenses. The total average costs of a data breach grew to $202 per record compromised, an increase of 2.3% since 2007 ($197 per record) and 11% compared to 2006 ($182 per record).
Depending on the size of the breach, costs could become astronomically expensive, said Dr. Larry Ponemon, chair and founder of The Ponemon Institute. Some in the privacy community have a view that people over time will become indifferent to a data breach notification. But the Ponemon breach found the costs associated with lost business continue to climb. The lost business now accounts for 69% of data breach costs, up from 65% in 2007.
“Our model suggests that people haven’t reached the point of indifference yet,” Ponemon said. “When people reach that point the cost of churn should decline, but our findings show the costs continue to creep up year by year.”
The survey also found many firms having trouble preventing data breaches. Of the firms surveyed, 84% said they experienced more than one breach, though the costs are higher for companies experiencing a breach for the first time. Per victim cost for a first-time data breach is $243 versus $192 for experienced companies.
“It’s impossible to create an environment where you cannot have a data breach,” Ponemon said. “Data breaches will probably continue even for the best of companies, but it’s how you detect it, how you respond to it, and how you manage the risk that matters most.”
Companies are fearful of malicious insiders getting access to sensitive data. The rising tide of layoffs as a result of the poor economy has put a focus on the insider threat. But insider negligence continued to play a major role in causing a data breach. More than 88% of all cases involved incidents of insiders mishandling data. Far fewer breaches were from malicious insiders. The Ponemon study found that the per victim cost for data breaches involving negligence cost $199 per record versus malicious acts costing $225 per record.
Fewer firms are investing in additional technologies. Encryption was the first technology implemented after a breach. Of the technology options, 44% of companies have expanded their use of encryption, the Ponemon survey found.
“One of the mistakes people make with encryption is they’ll go and encrypt a laptop and forget about thumb drives, email or FTP servers,” he said. “People are addressing some issues but not addressing the entire problem.”
Some companies turn to the use of third-party services to handle personal information such as payment transactions and customer loyalty programs. But the Ponemon survey found that those services may increase the risk of data leakage and increase the cost of a breach. Breaches by outsourcers, contractors, consultants and business partners were reported by 44% of respondents, up from 40% in 2007. Third-party vendors often take more time to investigate and conduct forensic analysis. Services sometimes lose information due to poor processes or inadequate data protection technologies, Ponemon said.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.