The Ponemon Institute has released its annual study on the Cost of a Data Breach. The 2008 Study indicates that the total average costs of a data breach continue to rise. The average cost per breached record is now $202; the average cost per breach is $6.6 million.
The Ponemon Study tracks a wide range of cost factors that relate to data breaches: from detection & notification to legal ramifications and customer loss (tangible or not). The first study from four years ago helped to identify "direct, indirect and opportunity costs from the loss or theft of personal information, thus requiring notification to breach victims as required by law or policy."
The 2008 Study looks at the actual data breach experiences of 43 US companies across 17 industry sectors. This is a larger base sample to draw from, vs the 35 breaches studied in 2007. The breaches in the survey ranged from 4,200 records to more than 113,000 records.
The average cost per breached record has gone up from $182 in 2006 to $197 in 2007 to $202 in 2008. The average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007). The range for costs was anywhere from $613,000 to $32 million.
"In these very tough economic times, businesses cannot afford to lose customers as a result of breach. Although new data breaches are reported each week, and seem to be getting larger, consumers have not become immune. While organizations have learned how to respond to a breach more cost-effectively, customers are increasingly prone to terminate their business relationship due to lost data, producing consistently higher abnormal churn rates."
The costs of lost business has the highest impact on the per-record breach cost, accounting for 69% of data breach costs. According to the study, breach costs for first-timers (companies with no previous breach history) are higher and that 85% of cases in the study involved companies with more than one major data breach. Insider negligence was the #1 cause of data breaches with over 88% resulting from negligence.
Third-party data breaches, such as those experienced with sub-contractors or business partners lose data, are rising in frequency and in cost. 44% of respondents report a third-party data breach (up from 40% in 2007 and 29% in 2006) with higher per-victim costs than internal data breaches ($231 vs $179). The staggering growth of third-party data breaches would indicate a serious, and costly, oversight in data security planning and accountability.
Other highlights from the study: