Data breach incidents cost US companies $204 per compromised customer record in 2009, a rise of $2 from the previous year.
According to results from the fifth annual ‘US Cost of a Data Breach Study' by Ponemon Institute and PGP, despite an overall drop in the number of reported breaches (498 in 2009 compared with 657 in 2008 according to the identity theft resource centre), the average total per-incident costs in 2009 were $6.75 million, compared with an average per-incident cost of $6.65 million in 2008.
The study tracks a wide range of cost factors, including expensive outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.
It found that the cost of a data breach as the result of malicious attacks and botnets were more costly and severe. Negligent insider breaches have decreased in number and cost. Organisations are also spending more on legal defence costs which can be attributed to increasing fears of successful class actions resulting from customer, consumer or employee data loss.
Third-party organisations accounted for 42 per cent of all breach cases, dropping from 44 per cent of all cases in 2008. These remain the most costly form of data breaches due to additional investigation and consulting fees.
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said: “In the five years we have conducted this study, we have continued to see an increase in the cost to businesses for suffering a data breach. With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach.”
Phillip Dunkelberger, president and CEO of PGP, said: “As breaches are becoming all too commonplace, US businesses cannot afford to ignore protecting the valuable, sensitive data they have been entrusted with.
“Our study with the Ponemon Institute continues to demonstrate that companies whose data is not protected are not only facing expensive direct costs from cleaning up a data breach, but also a loss in customer confidence that has long lasting ramifications.”
Commenting, Todd Chambers, chief marketing officer at Courion, said: “The data from the Ponemon Institute once again serves as a stark reminder of the real world costs of lax data security.
“Failure to clamp down on data security has real and painful consequences for any organisation, regardless of whether it is a public or private sector body. Data breaches cost jobs, create catastrophic bad press and can have a painful impact on the bottom line.
"Coupled with the new powers of the Information Commissioner's Office to fine companies in the UK upwards of £500,000 for each instance of a data protection failing, the final cost of a breach or loss could very quickly dwarf the £4.1 million ($6.75 million) average per incident revealed in this year's survey.
“This increase is a likely knock-on effect of two years of reduced headcount and focus around data governance among some organisations. This in turn has lead to information assets being lost, stolen and exploited due to a lack of oversight. Fortunately, as the report shows, investment is increasing as companies look to correct such oversights before they become systemic. In short - if you think the cost of data governance is expensive, look at the overall cost to a business of a data breach.”