Data Breaches Cost Companies $6.6 Million on Average

In a study of 43 companies that were involved with a data breach of some type last year it was found the total cost of coping with the breach rose $6.6 million per data breach. This number is up from the $6.3 million needed in 2007 and only the $4.7 million needed in 2006.

"For the majority of our companies, it was not their first time," said Larry Ponemon of the research group. "84% of the cases were repeat offenders, and only 16% were new." Most of the newer companies experiencing a data breach for the first time were paying on average $243 per record while the repeat offenders and larger companies generally were more prepared and only paid on average, $192 per record.

Forty-four percent of the organizations surveyed reported a breach by a third party, such as a contractor or outsourcer, and more than 88 percent of all cases this year involved incidents resulting from insider negligence according to the study.

It was only last week when Monster.com informed users of their database being compromised resulting in all its users' data being taken. Then the week before, we announced that a payment processing system got hacked and over 100 million credit cards possibly taken in that breach. So it's very clear that data breaches not only hurt the customers involved but the company as a whole due to lost revenues, research, adding additional security and other things.

Other key findings from the study include the following:

-- Average total per-incident costs in 2008 were $6.65 million, compared to an average per-incident cost of $6.3 million in 2007.

-- Healthcare and financial services companies experienced the highest churn rate -- 6.5 percent and 5.5 percent respectively, on a total average of 3.6 percent, which reflect the sensitivity of the data collected and the customer expectation that information will be protected.

-- Third-party organizations accounted for more than 44 percent of all cases in the 2008 study and are also the most costly form of data breaches due to additional investigation and consulting fees.

-- More than 84 percent of 2008 cases involved organizations that had had more than one data breach in 2008 -- meaning that companies are becoming more experienced in managing breaches over time.

-- More than 88% of all cases in this year's study involved insider negligence.

-- More than half of respondents believe that training and awareness programs assist in preventing future breaches and 44 percent have expanded their use of encryption.

-- The most significant cost decrease was seen in activities relating to post-breach response, which indicates that organizations are becoming more cost effective in managing data breaches.

"After four years of conducting this study, one thing remains constant, U.S. businesses continue to pay dearly for having a data breach," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy."

The study, sponsored by PGP Corporation and independently conducted by the Ponemon Institute, examines the financial consequences of data breaches involving consumers' personally identifiable information. The study uses objective methods for quantifying specific activities that result in direct, indirect and opportunity costs from the loss or theft of personal information, thus requiring notification to breach victims as required by law or policy.

"In this current economic climate, U.S. businesses can't afford to give their customers any reason to go elsewhere," said Phillip Dunkelberger, president and CEO of PGP Corporation. "This study continues to show that the results of a data breach can seriously wound a company's bottom line and reputation. This begs the question, when are organizations going to get proactive about protecting their critical data."