Average data breach costs companies $5 million

Companies spent nearly $5 million on average, and 30% more, this year than in 2005, to recover when corporate data was lost or stolen, according to a new study from the Poneman Institute.

The Ponemon Institute's 2006 Cost of Data Breach Study, which was completed in September, shows that the main culprit for data loss in 49% of the cases is a lost or stolen laptop, desktop, PDA or thumb drive. The study looked at 31 companies that have experienced a data breach in the past year.

There have been 254 data-breach incidents this year alone, according to the Privacyrights.org Web site. The study also concluded that companies spend $180,000 after each incident to prevent further data breaches.

In addition, the average cost for each compromised record was up by more than 30% over last year, rising from $138 to $182. The average total recovery cost was $140 per lost customer record. According to the study, the increase was fueled by three factors: phone calls for customer notification, free or discounted services and an increase in customer turnover.

Observers note that those costs have nothing to do with IT and suggest that companies need to look across a broader spectrum when factoring costs.

"By not connecting the dots, companies are not seeing the true costs and, therefore, the true value of preventative measures," says Andrew Krcik, vice president of marketing for PGP, one of the sponsors of the survey with Vontu. "He says many companies lack a holistic approach to figuring out costs. "They should be looking at what it costs the company instead of looking at what it costs a particular group, especially IT."

The Poneman Institute is an independent research company focused on issues affecting the implementation of responsible information practices within business and government. The study computed the costs by taking into account such expenses as outlays for detection, escalation, notification and after-the-fact response. The study also took into account direct expenses such as outsourced hot-line support, free credit-monitoring subscriptions, and discounts for future products and services. Indirect costs included in-house investigation and communication, as well as customer turnover.

One interesting finding was that the data theft because of malicious activity by employees accounted for only 6% of data breaches. Corporate insiders have long been tagged as major threats when it comes to stolen corporate data.

After stolen laptops, desktops, PDAs or thumb drives, the most common method of data loss was lost or stolen files acquired or used by third parties or outsourcers, put at 29%. Lost or stolen electronic backup such as magnetic tapes accounted for 26%, and lost or stolen paper records and files accounted for 13% of data breaches.