It’s no surprise that data breaches are expensive. The exact cost of these incidents, which have only become more spectacularly headline-grabbing in recent months, is a question that the Ponemon Institute has addressed for the past six years. Their most recent analysis, the 2010 U.S. Cost of a Data Breach, includes a look at 51 U.S. companies from 15 different industry sectors, all of which experienced data breaches.
The findings dispel any notion that data breaches are becoming less costly as data breach notification sets in amongst consumers and they presumably care less about breach incidents. In fact, consumers are still highly concerned about data breaches, and the costs of breaches are climbing.
A few key takeaways from the Ponemon study:
- The average cost of a data breach increased by seven percent to $7.2 million in 2010, with the cost of each compromised record now averaging $214, up from $209 in 2009.
- Costs of a data breach include notification and legal defense costs, penalties from regulations such as the HITECH Act, and lost customer business.
- For the first time, malicious or criminal attacks are the most expensive cause of data breaches and not the least common one; up from 12% in 2008, to 24% in 2009, to 31% in 2010.
- Quick responses to data breaches are more costly than slower responses – 54% more, to be precise. With the haste to comply with state and federal regulations, some companies rush to get the notification process over with, and in the process over-notify more than needed.
- Companies are more proactively protecting themselves from data breach threats. For example, breaches due to systems failures, lost devices and third-party mistakes are lower than before. And while some companies may be responding to breaches too hastily (and inefficiently), the good news is that more companies are responding to breaches within 30 days of an incident.
One of the more surprising findings is that negligence is still the leading cause of data breaches, at 41%, further underscoring the need for companies to strengthen their security practices. On the bright side, the average breach detection and escalation costs went up by 72%, so it appears that companies are beginning to get the message that the threat of data breaches requires aggressive precautions.