Please note that this website will be undergoing maintenance on 9/5/2010, between 12:00 AM and 3:00 AM EDT. The site may be unavailable during this time.

Group: Data Breaches Down, but Costs Up

Companies pay $204 per breached record
February 15, 2010

For the fifth straight year, the cost of the average data breach has gone up, according to Michigan-based research firm the Ponemon Institute.

The number of reported breaches actually shrank 24.2 percent in 2009, to 498 from 657 the previous year, according to the group’s latest “U.S. Cost of Data Breach Study.” But the average cost per incident rose from $6.65 million to $6.75 million. The institute figures that every “compromised customer record” costs companies $204 to deal with, up from $202 in 2008.

“There's no real way to avoid a data breach; it's going to happen,” institute founder and chairman Larry Ponemon told told SearchSecurity.com. “The good news is that companies get better in handling a breach with experience and that results in lower costs.”

In the study, which was partly funded by the Bay Area enterprise data-protection company PGP Corp., Ponemon interviewed 45 companies and determined the annual cost of data breaches by factoring a variety of potential hits to the balance sheet, including hardware used to detect breaches; policies put in place to notify customers and authorities; legal and investigative expenses; and long-term damage to a company’s brand and reputation.

One of the 45 companies interviewed took first prize for most expensive breach: more than 100,000 customer records placed at risk, costing that firm $31 million to clean up the mess.

A joint statement by PGP and Ponemon noted that heightened levels of training and awareness programs could be responsible for a drop in the number of “negligent insider breaches.”

However, costs associated with malicious attacks and botnets were “severe,” the statement said. Companies and organizations also are spending more on legal defense costs, out of apparent fear that prominent data breaches will result in class-action lawsuits.

The study also found that mistakes and lapses by third-party companies (like vendors) were associated with breaches in 42 percent of the firms surveyed. Lost laptops and USB drives were linked to 40 percent of breaches.

©2003-2010 Identity Theft 911, LLC. All rights reserved.

.
.