By Deborah Gage
November 28, 2007
The cost of recovering from a single data breach now averages $6.3
million-that's up 31 percent since 2006 and nearly 90 percent since
2005, according to the Ponemon Institute, which studies privacy and
Two-thirds of that cost is spent recovering business that's lost after a
breach, a cost that has risen 30 percent since last year. More customers
stop doing business with a company after their information is exposed,
and it's getting more expensive to replace them.
"As consumers and end users get more educated, I think there's less
tolerance," says John Dasher, the director of product management for
PGP, which, along with Vontu, co-sponsored the Ponemon study. Companies
known to have suffered a breach were contacted by Ponemon, and 35 agreed
The companies surveyed were from 16 industries and lost anywhere from
4,000 to 125,000 records. They spent an average of $197 per lost record
investigating the breach, notifying customers, restoring security
infrastructures and recovering lost business.
Breaches by third parties-outsourcers or members of a company's supply
chain-were the second biggest cause of security compromises and are more
expensive. Companies spent an average of $231 per lost record on
third-party breaches compared to $171 per lost record in 2006.
The only costs that got cheaper were those associated with investigating
breaches and notifying customers. Notification costs were down 40
percent, to $15 per customer, suggesting that companies are learning
from each other, Dasher says. Also, more than 30 states now have laws
requiring companies to notify customers which tend to guide companies'
Dasher says when PGP sells its software, which encrypts data, more
people inside a company are now involved in purchasing it. CEOs,
presidents, chief operating officers, legal, and marketing departments
all want a say, in addition to the usual folks in information
technology, "especially if your function touches customer or employee
data," he says. "They all have different concerns." Marketing, for
example, doesn't want to spend precious dollars restoring a damaged
But data encryption software doesn't protect against breaches if it's
not properly deployed, Dasher says. And companies should choose their
business partners carefully. One company which did encrypt its data lost
it to an accounting firm which loaded it onto a laptop, which was stolen
from a car.
This is Ponemon's third survey of data breach costs since 2005. Lost
laptops are a growing problem and now account for 49 percent of
breaches, compared to 35 percent in 2006. Third party breaches were down
to 16 percent of breaches, compared to 21 percent in 2006, although more
companies40 percentreported third party breaches this year.
Copyright (c) 2007Ziff Davis Enterprise Inc.
Visit InfoSec News