Acting too quickly after a data breach can cost companies even more money, the Ponemon Institute reports.
Data breaches are not getting any cheaper to deal with, and companies that
jump the gun on notifications can end up paying the most.
In its fifth
annual study on data breaches,
the Ponemon Institute discovered that about
36 percent of participants notified
their breach victims
within one month, but ended up paying $219 per
compromised record as opposed to the $196 paid by others. According to the
study, a reason for this may be that companies moved too quickly through
the process of detection, notification and related activities, and made costly
mistakes along the way.
"Panicking and making decisions before all the facts are accurately
determined may result in extending credit services to individuals who may not
have been affected in any way that would put their credit at risk, for example,"
noted Mike Spinney, senior privacy analyst with Ponemon. "Initial
assessments may have indicated 100,000 folks, but in reality only 50,000 were
on the missing disk ... that kind of thing can result in wasted money and
effort in making notice."
Overall, the report found the average cost of a breach in 2009 rose to $204
per compromised record,
up from $202 in 2008. The PGP-commissioned study
also found that the average organizational cost of a data breach rose from $6.65
million in 2008 to $6.75 million in 2009.
According to the report, the biggest driver of data breach costs is the loss
of existing and future customers, which is referred to as the "abnormal
churn rate." The industries with the highest churn rates-
all standing at 6 percent-
were pharmaceuticals, communications and
health care. The financial services industry had a churn rate of 5 percent.
Overall, the average abnormal churn rate across all industries stood at 3.7
percent in 2009, 0.1 percent higher than in 2008.
"Customers are increasingly aware of and expecting a secure level of
protection and privacy for the data they entrust to businesses," PGP CEO
Phillip Dunkelberger said in a statement. "Our study with the Ponemon
Institute continues to demonstrate that companies whose data is not protected
are not only facing expensive direct costs from cleaning up a data breach, but
also a loss in customer confidence that has long-lasting ramifications."
While breaches caused by negligent insiders decreased, the portion caused by
attacks and botnets
rose to 24 percent in this year's study-
double the percentage from 2008. The cost of
falling victim to such an attack,
is roughly 40 percent higher
than the cost of a breach involving a negligent insider, the study found.
Meanwhile, businesses seem to be investing more heavily in technology to
deal with the problem. Use of encryption (58 percent), identity and access
management (49 percent), and data loss prevention products (42 percent) all
increased among study participants.
"Any effective data security strategy requires a balance of technology,
awareness and education as it relates to a company's policies and procedures,"
Spinney told eWEEK. "I believe the increase in breaches due to
malicious attacks reveals an improvement in an organization's ability to detect
such attacks, but it does not necessarily suggest that individuals are more
vigilant. Awareness is an ongoing effort and one of the least costly components
of an effective data security strategy."