Average Data Breach Cost Rises to $7.2 Million Per Incident: Survey

At more than $7 million, data breaches are costly for organizations, and there are no signs of the costs coming down anytime soon, according to a research study.

The average cost of a data breach for an organization went up for the fifth year in a row, to $7.2 million, Ponemon Institute found in its sixth annual data breach report.

Total cost is not the only thing that went up, as the average cost per compromised record increased to $214, according to the 2010 data breach report released by Symantec and Ponemon Institute on March 8. The cost per compromised record was $204 and total organization cost per breach was $6.8 million in 2009. Total breach costs have gone up every year since 2006, and the Ponemon Institute did not expect the trend to dip downwards anytime soon, according to the report.

"We continue to see an increase in the costs to businesses suffering a data breach," said Larry Ponemon, chairman and founder of the Ponemon Institute.

Ponemon Institute considers a number of factors when calculating costs, such as the process in which a data breach is detected and investigated, how the victims are notified and the cost of deploying new remedies to resolve the issue. There are also other associated costs, such as setting up a call center to enable victims to get more information, paying for credit protection services, lost sales and productivity because customers no longer trust the organization to keep data safe, Josh Shaul, CTO of Application Security, told eWEEK.

There can be additional costs if regulators crack down with harsher penalties, such as the recent fines on health care organizations for violating HIPAA, he said.

For the second year in a row, data breach costs went up because organizations responded rapidly to these incidents, the institute found. Fast-acting organizations wound up spending 54 percent more per record than companies that moved more slowly, the survey found.

About 43 percent of companies notified victims within one month of discovering the breach and faced an average per-record cost of $268, the survey found. More companies, or 7 percent, responded faster in 2010 than 2009, but their costs went up 22 percent. Companies that took longer to notify users paid a mere $174 per record.

Most regulations require organizations to notify affected customers within 60 to 120 days after discovering the breach.

While the total cost of a data breach can vary by the organization's size, industry, location and existing security practices, the Ponemon Institute found there was a positive correlation between the number of records lost and the cost of the incident.

Malicious attacks, regardless of whether they originated internally or externally, were the most expensive and appear to be increasing in frequency, the report found. Nearly one-third, of 31 percent, of all cases involved a malicious or criminal act, up 7 percent from 2009. A malicious attack was likely to cost companies $318 per compromised record, up 43 percent from 2009.

Despite the rise of malicious attacks, the most common threat still comes from negligent employees. The number of breaches caused by negligence, such as not securing data properly, increased slightly to 41 percent, and averaged $196 per record, the survey said.

"Securing information continues to challenge organizations at all levels, but the vast majority of these breaches are preventable," said Francis deSouza, senior vice president of Symantec's enterprise security group. Organizations must create a "culture of security" that includes training, data security policy and technology, he said.

After a data breach, organizations continue to rely primarily on training and awareness programs to emphasize information security. While 63 percent of the respondents mentioned training, implementing encyption mechanisms was the second most popular data-breach remedy, at 61 percent, the report found. Both encryption and data loss prevention implementations have increased 17 percent since 2008.

Encrypting data minimizes the impact of lost or stolen data because thieves or unauthorized users can't easily get access to the sensitive information. Symantec also recommended organizations integrate information protection practices into business processes so that security is not an afterthought.

The 2010 Annual Study: U.S. Cost of a Data Breach is based on actual data breach experiences in 2010 of 51 companies from 15 different industry sectors including finance, health care, technology and transportation. The data breach cases ranged from 4,200 to 105,000 compromised records.