Average data breach costs companies $5 million

Companies spent nearly $5 million on average, and 30% more, this year than in 2005, to recover when corporate data was lost or stolen, according to a new study from the Poneman Institute.

The Ponemon Institute's 2006 Cost of Data Breach Study, which was completed in September, shows that the main culprit for data loss in 49% of the cases is a lost or stolen laptop, desktop, PDA or thumb drive. The study looked at 31 companies that have experienced a data breach in the past year.

Cost of lost data A recent study by the Ponemon Institute found that the per capita cost of a data breach has gone up more than 31% in the past year when four activities associated with detecting and dealing with a breach are taken into account.
Cost20052006Increase
Detection & escalation$10$1110%
Notification$18$2538.9%
Response$35$4734.3%
Lost business$75$9830.7%
Total$138$18131.2%

There have been 254 data-breach incidents this year alone, according to the Privacyrights.org Web site. The study also concluded that companies spend $180,000 after each incident to prevent further data breaches.

In addition, the average cost for each compromised record was up by more than 30% over last year, rising from $138 to $182. The average total recovery cost was $140 per lost customer record. According to the study, the increase was fueled by three factors: phone calls for customer notification, free or discounted services and an increase in customer turnover.

Observers note that those costs have nothing to do with IT and suggest that companies need to look across a broader spectrum when factoring costs.

"By not connecting the dots, companies are not seeing the true costs and, therefore, the true value of preventative measures," says Andrew Krcik, vice president of marketing for PGP, one of the sponsors of the survey with Vontu. "He says many companies lack a holistic approach to figuring out costs. "They should be looking at what it costs the company instead of looking at what it costs a particular group, especially IT."

The Poneman Institute is an independent research company focused on issues affecting the implementation of responsible information practices within business and government. The study computed the costs by taking into account such expenses as outlays for detection, escalation, notification and after-the-fact response. The study also took into account direct expenses such as outsourced hot-line support, free credit-monitoring subscriptions, and discounts for future products and services. Indirect costs included in-house investigation and communication, as well as customer turnover.

One interesting finding was that the data theft because of malicious activity by employees accounted for only 6% of data breaches. Corporate insiders have long been tagged as major threats when it comes to stolen corporate data.

After stolen laptops, desktops, PDAs or thumb drives, the most common method of data loss was lost or stolen files acquired or used by third parties or outsourcers, put at 29%. Lost or stolen electronic backup such as magnetic tapes accounted for 26%, and lost or stolen paper records and files accounted for 13% of data breaches.

The rest of the list included hacked electronic systems, at 10%; malicious insiders, at 6%; malicious code, such as malware, spyware or crimeware, at 6%; and misplaced network or enterprise storage devices (as a result of a natural disaster, such as a major hurricane), at 3%. Of the companies responding to the survey, 6% did not disclose how their data breaches occurred.

The study also found that in 32% of the data breaches, the CIO or CTO managed the event and the implementation of prevention measures. In 19% of the cases, the CISO or CSO dealt with the incident; and a division president or general manager handled the chores in 16% of the cases, with a chief privacy officer the leader 6% of the time and a compliance officer in 3% of the cases. In 29% of the cases, respondents reported that more than one person had overall responsibility.

After the breach the top preventive measure taken was the deployment of additional manual procedures and controls 42% of the time, training and awareness programs 29%, encryption over data in motion 23%, encryption over data at rest 16%, information leak detection and prevention systems 13%, security event management systems 10%, additional perimeter controls 10%, identity- and access-management systems 6%, independent security audits 6%, no new procedures or systems 6% and encryption over data backups 3%. Results add up to more than 100%, because respondents could answer in a variety of categories.

Learn more about this topic

Data-breach costs rise year on year

10/25/06

The question of security surveys

03/20/06

The high costs of fumbling the ball on customer data

11/21/05

Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies