Data Breaches More Costly Than Ever
Organizations that experienced a data breach paid an average of $6.6 million last year to rebuild their brand image and retain customers following public disclosures of the incidents, according to a new study.
The fourth annual survey by the Ponemon Institute, a Tucson, Ariz., based independent research company, found that companies spent roughly $202 per consumer record compromised. The same study put the total cost of a breach in 2007 at $6.3 million, and roughly $4.7 million in 2006.
The survey examined cost estimates from 43 organizations that reported a data breach last year. The average number of consumer records exposed in each breach was about 33,000, but the number of records affected in each incident ranged from fewer than 4,200 to more than 113,000. Eighty-four percent of the companies surveyed had experienced at least one data breach or loss prior to 2008, said Larry Ponemon, the institute's founder.
The study measured the direct costs of a data breach, such as hiring forensic experts; notifying consumers; setting up telephone hotlines to field queries from concerned or affected customers; offering free credit monitoring subscriptions; and discounts for future products and services. The survey also sought to measure more intangible costs of a data spill, such as the loss of business from increased customer turnover and decreases in consumer trust of the breached entity's brand.
Following a data breach disclosure, customers who leave one brand for another, known as customer churn, was the highest among health care and financial services companies, according to the survey which found rates of 6.5 percent and 5.5 percent respectively.
"Some of the best news out of this survey is that churn is really happening," Ponemon said. "People really do care when organizations screw up and lose their data."
The Ponemon cost estimates did not include the effect of a breach on the company's stock price, which in some cases can be substantial.
Last month, when the nation's sixth largest credit and debit card processor -- Heartland Payment Systems -- disclosed a breach that could affect millions of customers, the company's stock price took a nosedive. Shares of Heartland's stock lost 42 percent of their value the day after that disclosure, closing at a 52-week low of $8.18.
The study also does not measure the cost of intellectual property that is lost or stolen as a result of a data breach. At least 44 states and the District of Columbia have enacted laws that require an entity that exposes personal information on consumer to notify those affected. But Phillip Dunkelberger, chief executive officer with data encryption giant PGP Corp., which sponsored the study, said even if a breach does not force a company to notify consumers, the breach often exposes proprietary data that can jeopardize millions of dollars invested in research and development.
"The first thing companies say when they have a breach is 'Well, we'll implement encryption and data leak prevention technologies, and maybe do more training'," Dunkelberger said. "That's great, but what amount of brand damage has to occur in these public disclosures before we see changes made to the way companies handle not just consumers' personal information, but also the intellectual property that drives their businesses?"
Gerhard Watzinger, executive vice president of corporate strategy and business development at McAfee, said the incidence of high profile data breach disclosures over the past year are pushing more companies to invest in data leak prevention technologies. McAfee estimates that data theft and breaches may have cost businesses worldwide as much as $1 trillion last year.
"We're seeing a shift in attitude about these preventative technologies from one of a cost-center to being a potential revenue-generator," Watzinger said. "With all of these well-publicized data breaches, companies are finding out how expensive it is to repair things after the fact, because the pain organizations suffer from a data breach now is pretty high."
Update, 1:30 p.m. ET: Added perspective from McAfee. Also, an earlier version of this story incorrectly attributed to the quote to former McAfee expert Gerhardt Eschelbeck.
February 2, 2009; 11:27 AM ET
Save & Share: Previous: Google: This Internet May Harm Your Computer
Next: Report: Most Spam Sites Tied to Just 10 Registrars
Posted by: ww3lstep | February 2, 2009 11:58 AM | Report abuse
Posted by: BTKrebs | February 2, 2009 12:00 PM | Report abuse
Posted by: johnfranks999 | February 2, 2009 12:49 PM | Report abuse
Posted by: johnfranks999 | February 2, 2009 12:50 PM | Report abuse
Posted by: jsmith5 | February 2, 2009 1:10 PM | Report abuse
Posted by: AmritWilliams | February 3, 2009 2:38 AM | Report abuse
Posted by: mwr2 | February 3, 2009 12:36 PM | Report abuse
Posted by: Identity-Theft-Expert | February 4, 2009 8:03 AM | Report abuse
Posted by: ThomasWhitney | February 4, 2009 1:41 PM | Report abuse
The comments to this entry are closed.