Network News

X My Profile
View More Activity

Counting the Cost of Data Loss

New research from the The Ponemon Institute underscores the hit companies can take when they lose control over their customers' personal and financial information.

The institute surveyed more than 9,000 people and found that nearly 12 percent had been notified by companies they did business with about a data breach or loss. Of those customers affected by a breach, 20 percent said they immediately closed their accounts or stopped doing business with the company responsible for the incident. Companies reported that the average loss was 2.5 percent of all customers, ranging to as high as 11 percent.

This isn't the biggest sample size, so the findings aren't necessarily represenative nationally.  But I do call into question the 20 percent finding: I don't know about you, dear Security Fix readers, but if I find out that a company has been sloppy with my personal data, they will never again receive another dollar from me.

A second Ponemon study released today found the average cost to a company from a security breach worked out to about $14 million (the survey said that amount included actual costs of internal investigations, outside legal defense fees, notification and call center costs, investor relations efforts, discounted services offered, lost employee productivity and the financial hit from lost customers.)

The study found that companies that took their time notifying customers about security breaches paid the price for it; companies were four times more likely to lose customers if they failed to notify the victim in a  "clear, consistent and timely fashion."

And here's another interesting tidbit: Customers don't like being treated as numbers. Companies surveyed said they were three times more likely to lose customers if they notified them of a breach via a form letter or e-mail instead of telling them over the phone or through a personalized letter.

If you care to drill down further, you can download the studies at the Web site of encryption company PGP Corp., which commissioned them (you'll have to provide a name, e-mail address and some other information before PGP will let you get to the download page.)

By Brian Krebs  |  November 14, 2005; 12:25 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft: Sony Anti-Piracy Software Is Spyware
Next: Sony Faces Another Class-Action Suit


I got a "we let hackers have your personal data" letter from LexisNexis. When I called to talk to them about it, I asked if I could opt out of their system (I never asked them to store - let alone lose - my social security number). I was told that only elected officials and police officers could opt out. So in this case, there was not way to quit. With the oops-sorry letter came an offer of a free year of Equifax. Given how many sales-related emails I get Equifax, I'm not sure who paid who on this transaction.

Posted by: cgw | November 14, 2005 4:14 PM | Report abuse

There are a couple of misleading implications in the line, "I don't know about you, dear Security Fix readers, but if I find out that a company has been sloppy with my personal data, they will never again receive another dollar from me." First, just about every company is sloppy with your personal data. Second, you have only a modest amount of control over who collects and holds your personal data. So the idea that individuals can punish companies for poor personal data protection by not doing business with them is rather misguided. Or, more accurately, wishful--it would be great for individuals to have that much control over the situation, but we don't, at least for now.

Posted by: snf | November 14, 2005 4:41 PM | Report abuse

There's another problem with trying to stop being a customer of a sloppy business - sometimes it's very expensive and time-consuming to stop. Think mortgage servicer. It might cost you several thousand dollars to refinance, and your rate may not be as good as you might already have. Is it practical to switch?

Posted by: scott | November 14, 2005 6:40 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company