By Heather Greenfield
National Journal's Technology Daily
October 23, 2006
A new study reports that data breaches may cost companies even more than
previously thought. The Ponemon Institute released its annual study on
the cost of data breaches and found that they cost companies on average
$182 per compromised record.
The institute arrived at the number by analyzing incidents involving 31
companies, all but one a Fortune 500 company. Institute Chairman Larry
Ponemon said the companies choose to turn over their data on data
breaches in hopes of gaining a benchmark of how they were doing.
"It shows the real cost of doing privacy wrong," Ponemon said. He said
the costs include detecting the problem, a step that often involves
consultants, auditors and maybe lawyers. He also looked at the cost of
losing customers, fixing the leaks and notifying people whose records
Vontu and the PGP, two security companies, helped fund the Ponemon
Ponemon said the cost of printing and mailing notices is "gigantic." He
noted that this year's major breach at the Veterans Affairs Department
cost $7 million just to send letters to the affected veterans, including
Then there is the cost of creating call centers for disgruntled
customers and credit-monitoring or reporting services to help customers
who could become identity-theft victims, which Ponemon estimates at $15
to $30 per person.
Ponemon said his previous study involving 14 companies for 2005 showed a
breach cost $138. He noted that the increased cost this year is 31
percent. But he acknowledged that "a benchmark study of companies is not
"We think our data is good conservative estimate," he said, calling it
conservative because the companies had better-than-average security
Previously, there have been few studies on the cost of data breaches.
Gartner, a security research firm, estimated at congressional hearings
this summer that the average cost of a data breach is $90 per person,
whereas encrypting the records would cost $6 per person.
Gartner and companies offering security solutions complained to
lawmakers that the technology solutions exist, but companies would not
invest in better security unless forced to by legislation -- or if the
cost investment was clearly worth it.
Four different bills aimed at curbing data breaches by forcing companies
and the federal government to notify victims have languished. The Center
for Democracy and Technology and Consumers Union are among those
fighting against one measure, H.R. 3997, for being too weak. The bill
would allow companies to conduct their own investigations into data
breaches to determine if notifying victims is necessary.
The Privacy Rights Clearinghouse reports that there have been 330
data-loss incidents affecting 93 million individual records since
February 2005. A report released this month from the House Government
Reform Committee also found that data loss is pervasive among federal
Copyright 2006 by National Journal Group Inc.
Visit the InfoSec News store!