Start counting: The Ponemon Institute's data-breach calculator
The Ponemon Institute's annual study of data loss costs this year looked at 51 organizations who agreed to discuss the impact of losing anywhere between 4,000 to 105,000 customer records. The private-sector firms participating in the Ponemon Institute's "2010 Annual Study: U.S. Cost of a Data Breach" hail from across various industries, including financial services, retail, pharmaceutical technology and transportation.
While "negligence" remains the main cause of a data breach (in 41% of cases), for the first time the explanation of "malicious or criminal attacks" (in 31% of cases) came in ahead of the third leading cause, "system failure."
It turns out "malicious or criminal attacks" are the most expensive type of data breach to discover and respond to, costing on average $318 per customer record, $151 more than non-malicious breaches that stem from negligence of system failure.
"It's harder to detect and do investigations," says Dr. Larry Ponemon, about cases involving malware and botnets or social engineering. He notes just two years ago, only 12% of data breaches were ascribed to malicious and criminal activity.
Negligence is still the leading cause of a data breach, however, and last year there were a couple of instances of data breaches that companies confided to Ponemon were due to mistakes made by their cloud-service providers. One financial-services company found itself having to report a data breach because its records were exposed on a shared virtual-machine server in a way that others using the cloud-based service could see, Ponemon notes. The financial-services firm found out about it because some of the other firms in the cloud environment directly told them.
Some industries last year saw higher costs per customer record in a data breach than others, with upward spikes. For instance, financial services jumped from $353 per customer record in 2010, up from $249 in 2009, and healthcare jumped from $345 last year from $301 in 2009. The communications sector had the highest cost of all, at $380 per customer record. Media, at $131, education at $112 and the public sector at $81, stood at the lowest.
Ponemon acknowledges it's hard to discern exactly why these sector cost differences exist. Trends show organizations with chief information security officers incur less costs when a data breach occurs. And companies coping with their first data breach — which were 20% of the study's participants — had the highest costs of anyone on average in the 2010 study, averaging $326 per compromised customer record, up 48%.
But one disconcerting pattern the Ponemon study picked up on in last year's round of data breaches is that the faster a company moved to notify victims of the breach, the higher the costs.
About 41% of the respondents in the study said their organization had notified victims within one month of discovering the data breach, up from 36% in 2009. But these so-called quick responders paid $268 per record, up 22% from 2009 — and substantially more than companies that took longer, which paid $174 per record, down 9% from 2009.
Costs pile up in a rush to make a one-month or less reporting time deadline and don't necessarily mean companies are doing a better job in the forensics of understanding exactly what happened to them in the data breach, says Ponemon. Instead, it seems to lead to an "over-reporting phenomenon" where more records than were actually in the data breach are reported and publicly disclosed. This may be happening because companies are afraid they will have problems with state or federal regulators or class-action lawsuits if they delay past the one-month timeline, he said.
The Federal Trade Commission, for one thing, has talked about one month as a guideline for healthcare, Ponemon noted.
This year, Symantec, which sponsored the report, worked with Ponemon Institute to come up with an online cost of a data breach calculator which lets organizations plug in variables that will give them an idea of what kind of data-breach costs they might incur, based on statistical data Ponemon has collected about industry, size, number of records and other factors.