Data-breach costs rising, study finds

In its study of 43 companies that suffered a data breach last year, the Ponemon Institute found the total cost of coping with the consequences rose to $6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006.

The cost per compromised record in 2008 rose 2.5% over the year before to $202 per record, according to the study being released today.

"Each company is like a case study," says Larry Ponemon, head of the research group, noting that these 43 companies volunteered to participate in the study, which doesn’t reveal their names.

But the study, which was sponsored by security vendor PGP, makes some findings about these companies struggling with the fallout of a data-breach incident, which often is publicly reported due to state regulations requiring notification of individuals if their confidential personal data has been lost, stolen or compromised.

"For the majority of our companies, it was not their first time," says Ponemon about the 43 U.S.-based companies in the 2008 data-breach study. "84% of the cases were repeat offenders, and only 16% were new."

He adds the first-timers found a data breach to be more expensive. According to the study, the first-timers found themselves coughing up $243 per record, while for experienced companies, costs were held down to $192 per victim record.

There are some distinct consequences of a data breach, especially in healthcare and financial services, Ponemon notes. In these two industries more than others, customers notified of a data breach are more likely to discontinue association with companies that failed to secure sensitive data about them.

Despite headlines about lost and stolen data, "What continues to amaze me is that you'd think that people would be indifferent to a data-breach notification, but people continue to care a lot," Ponemon said.

While the average customer "turnover" or "churn" due to a data breach was generally 3.6%, in healthcare it was a much higher 6.5% and in financial services 5.5%. And the cost of a healthcare breach, at $282 per record, was more than twice as high as that of the average retail breach at $131 per record.

In other findings, the Ponemon study said 88% of all the cases for 2008 were traced back to insider negligence. The survey also showed that 44% of data breaches occurred due to external causes involving third parties, an increase from 40% in 2007 and 29% in 2006, the Ponemon report states.

A third-party breach is defined as third-party professional services, outsourcers, vendors and business partners that were in possession of the data and responsible for holding it.

Costs for a data breach mount up because of lost business and legal defense, which grew in 2008, while costs of customer support, notification and free services such as credit monitoring decreased, according to the study.

The most-cited steps that companies took following a breach included training and awareness programs; more manual procedures and controls; expanded use of encryption; identity and access-management deployments; and data-loss prevention products.