The Costs of Data Breaches Continues to Rise, Says Ponemon

There are 215 million stories in the naked city . . . and those are just the stories that have something to do with data breaches. That’s the number, dating back to January 2005, established by the Privacy Rights Clearinghouse. If you find that surprising, wait until you hear about the financial loss attached to those breaches. According to the study released last week by the Ponemon Institute, data breach incidents cost companies $197 per compromised customer record in 2007. Here are some equally sobering statistics to think about:

• The average per-incident costs were $6.3 million.
• The cost of lost business increased by 30 percent to an average of $4.1 million.
• Breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 40 percent of survey respondents.

Do you feel that knot in your stomach getting tighter?

As companies grapple with the challenge of protecting their customers’ private data, the latest research by The Ponemon Institute shows the cost of failing to protect data do is on the rise. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase.

“The data from 2007 suggests that although companies are responding to data breaches more efficiently, consumers seem to be less forgiving when their personal information is compromised,” said Larry Ponemon, chairman and founder of The Ponemon Institute. “The bigger problem, however, remains the persistent underlying issue of data security. Of course, the easiest way for companies to avoid the costs associated with a data breach would be to avoid a breach in the first place.”

Ponemon’s annual Cost of a Data Breach study tracks a wide range of cost factors, including legal, investigative, and administrative expenses as well as customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit-monitoring subscriptions.

So what measures are being put in place by companies that were crippled by a breach? The report lists the following technologies ranked according to popularity:

1. Expanded use of encryption
2. Data loss prevention solutions
3. Identity and access management solutions
4. Endpoint security controls
5. Security event management solutions
6. Perimeter controls

“Compliance requirements, new notification laws, and the growing list of breaches have made organizations aware they need a different approach to data security,” said Phillip Dunkelberger, president and chief executive officer of PGP Corporation, one of two corporate sponsors of the study. “The 2007 Ponemon study shows that erecting another firewall doesn’t work anymore because confidential data isn’t just inside the company. A single product and a bunch of tactics aren’t enough, either.”

“The fact that more than a third of breaches result from data being shared with third parties in the normal course of business is a clear signal that organizations should examine how they are sharing their customers’ data with outsourcers, vendors, and partners,” said Steve Roop, vice president of products and marketing at Vontu, the other corporate sponsor of this survey.

The Cost of a Data Breach report was derived from the analysis of 35 data breach incidents. Some of those incidents involved a few as 4,000 records while others exceeded 125,000 records. The companies analyzed were from 16 industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, Internet, manufacturing, marketing, media, retail, services, technology, and transportation. Copies of the study are available through PGP, Vontu, and The Ponemon Institute.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot