2010 Data Breach Costs Report

What would you do first if you discovered that your corporate security had been breached?  Would you fix the technical issues and quietly move on?  Should you audit for other avenues of attack to confirm containment?  Should you quickly analyze logs to determine what records might have been affected?  Should you quickly notify all of your customers?  Should you take the extra time required to perform forensic analysis to determine which records were actually affected?

Business owners, executives and managers need to think about these things, and develop an action plan for this contingency BEFORE it occurrs.  If it never does, you haven’t lost anything substantial.  If you don’t plan, you stand a good chance of  going into panic-mode, and over or under reacting.  A brand-new Ponemon Institute study sponsored by Symantec finds that data breach victims often move too quickly, wasting money, damaging reputation and trust with customers unnecessarily. 

This report quantifies the actual costs incurred by 51 organizations compelled to notify individuals of data privacy breaches, revealing how much companies pay for each kind of data breach studied.  It tracks how much organizations can save if they follow best practices and avoid major causes of breaches, and discusses what caused the cost changes from previous years, and what those causes mean to organizations in an evolving data protection environment. 

Many companies panic when they discover a data breach, fearing lawsuits, regulatory fines, bad publicity, and are not ready, trained, and practiced with action plans and forensic tools as they should be.  The first data breach experienced is generally the most expensive.  The initial reaction is often to notify as fast as possible with initial intelligence, and companies risk notifying customers who are actually unaffected by the breach by doing so.  The biggest cost of data breaches is customer turnover according to the study, and many of these companies lose customers that they didn’t actually need to notify.  Companies that spend the time on analysis and forensics work to determine which customers are actually at risk and require notification ultimately spend less on data breaches.

According to Ponemon’s “Annual Study: U.S. Costs of a Data Breach,” companies that respond to data breaches by immediately notifying their customers spend 54% more per record than companies that take a more measured approach.  43% of surveyed companies notified customers within one month of discovering the breach, but ended up with costs per record of $268 in 2010. Companies that took longer than a month spent only $174 per record.

Other findings:

  • The cost of lost business stayed relatively stable at around $4.5 million for the third straight year.
  • Data breaches in 2010 cost companies an average of $214 per compromised record, up 5% from 2009.
  • Malicious or criminal attacks are the most expensive breaches, and are on the rise. 
  • 31% of all breaches involved a malicious or criminal act, up 7% from 2009, and averaged $318 per record, up 43% from 2009.
  • More organizations are taking pro-active steps to thwart hostile attacks.
    • The number of organizations responding within 30 days increased.
    • More organizations have put CISOs in charge of data breach response efforts.
    • More organizations have an above-average IT security posture.
  • The cost of breaches by third-party outsourcers rose significantly, up 39% to $302 per record.
  • These figures may indicate that compliance with government and industry regulations for data protection are raising breach costs involving outsourced data.
  • Companies may also be more conscientious about preventing data breaches in the worsening threat environment.
    • Breaches due to systems failures, lost or stolen devices and third-party errors all fell.

Preventive suggestions offered:

  • Encryption (including whole disk encryption and for mobile devices/smartphones).
  • Data loss prevention (DLP) solutions.
  • Identity and access management solutions.
  • Endpoint security solutions and other anti-malware tools.
  • GRC Management solutions to report and enforce compliance.
  • centralized management of IT security solutions.
  • Audit and test third party service provider security postures.

As always, read the report, plan ahead, and be prepared.  Have a strategy and tools in place to do the proper forensics work, know your exact compliance requirements, and move quickly but cautiously to notify only those customers that are directly affected.  Don’t panic, if you have planned for the event, the sky may not be falling, it might just be a little closer to you than it was yesterday.