Cost of Data Breaches Rises Sharply

The financial and business losses associated with corporate data leaks have risen significantly over the past year, as related criminal schemes and customer defections weigh more heavily on firms' bottom lines.

Leaks of sensitive customer information and other corporate data are costing companies in the United States substantially more in related financial and business losses in 2006, according to a new study published by the Ponemon Institute.

Based on the findings of the Ponemon Data Breach Study, to be published on Oct. 23, information losses cost U.S. companies an average of $182 per compromised record in 2006, compared to an average loss of $138 per record in 2005, for an increase of about 31 percent.

The report, which is based on interviews held with 56 individual companies known to have experienced a data loss in the last year, maintains that roughly $128 of the 2006 figure is related to indirect fallout from information leaks, such as higher-than-normal customer turnover.

Other associated costs spurred by data mishandlings or thefts were an average price tag of $660,000 per company in expenses related to notifying customers, business partners and regulators about data leaks.

Ponemon contends that each company surveyed sacrificed roughly $2.5 million in lost business, based on their incidents.

To arrive at the figure, researchers combined costs from legal, investigative and administrative expenses with information related to affected companies stock performance and customer defections, among other indicators.

Each company interviewed has parted with an average of $4.7 million in payouts and lost business in total, related to the incidents.

Companies in the study paid almost $300,000 on average to investigate their data leaks and spent just over $1.24 million on average for other efforts aimed at responding to records losses, such as setting up customer support hotlines or offering credit monitoring services to help protect against related fraud.

The price tag for each of the data loss overhead categories, including detection, notification, lost business and associated expenses, rose noticeably for 2006 compared to 2005.

The greatest leap was measured in lost business, which cost companies an average of $22 per record more in 2006 than it did in 2005. Firms lost an average of $98 in business per record this year, compared to $75 per record in 2005.

The average financial losses and overhead expenses related to data leakage incidents increased in direct relation to the number of records lost by an individual company, according to the research.

Total costs for each cited records loss studied in the report ranged from less than $1 million to more than $22 million.

/zimages/3/28571.gifClick here to read more about the five biggest data center concerns.

"The burden companies must bear as a result of a data breach are significant, making a strong case for more strategic investments in preventative measures such as encryption and data loss prevention," said Dr. Larry Ponemon, chairman of Ponemon Institute, which is based in Elk Rapids, Mich.

"Tough laws and intense public scrutiny mean the consequences of poor security are steep—and growing steeper for companies entrusted with managing stores of consumer data."

In charting the most common sources of data leaks, researchers found that lost or stolen laptops remain the top culprit, accounting for 45 percent of all the incidents studied.

Records lost by third party-business partners or outsourcing companies represented the second most popular type of event, representing 29 percent of all the reported leaks.

Misplaced or stolen backup files, such as those stored on magnetic tapes, accounted for 26 percent of the incidents, while the much-publicized usage of malware programs that steal data were reported in only 10 percent of the losses. Companies contributing to the report often cited more than one cause for a particular breach.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.