Counting the Cost of Data Loss
New research from the The Ponemon Institute underscores the hit companies can take when they lose control over their customers' personal and financial information.
The institute surveyed more than 9,000 people and found that nearly 12 percent had been notified by companies they did business with about a data breach or loss. Of those customers affected by a breach, 20 percent said they immediately closed their accounts or stopped doing business with the company responsible for the incident. Companies reported that the average loss was 2.5 percent of all customers, ranging to as high as 11 percent.
This isn't the biggest sample size, so the findings aren't necessarily represenative nationally. But I do call into question the 20 percent finding: I don't know about you, dear Security Fix readers, but if I find out that a company has been sloppy with my personal data, they will never again receive another dollar from me.
A second Ponemon study released today found the average cost to a company from a security breach worked out to about $14 million (the survey said that amount included actual costs of internal investigations, outside legal defense fees, notification and call center costs, investor relations efforts, discounted services offered, lost employee productivity and the financial hit from lost customers.)
The study found that companies that took their time notifying customers about security breaches paid the price for it; companies were four times more likely to lose customers if they failed to notify the victim in a "clear, consistent and timely fashion."
And here's another interesting tidbit: Customers don't like being treated as numbers. Companies surveyed said they were three times more likely to lose customers if they notified them of a breach via a form letter or e-mail instead of telling them over the phone or through a personalized letter.
If you care to drill down further, you can download the studies at the Web site of encryption company PGP Corp., which commissioned them (you'll have to provide a name, e-mail address and some other information before PGP will let you get to the download page.)
Posted by: cgw | November 14, 2005 4:14 PM | Report abuse
Posted by: snf | November 14, 2005 4:41 PM | Report abuse
Posted by: scott | November 14, 2005 6:40 PM | Report abuse
The comments to this entry are closed.