Network News

X My Profile
View More Activity

Data Breaches More Costly Than Ever

Organizations that experienced a data breach paid an average of $6.6 million last year to rebuild their brand image and retain customers following public disclosures of the incidents, according to a new study.

The fourth annual survey by the Ponemon Institute, a Tucson, Ariz., based independent research company, found that companies spent roughly $202 per consumer record compromised. The same study put the total cost of a breach in 2007 at $6.3 million, and roughly $4.7 million in 2006.

The survey examined cost estimates from 43 organizations that reported a data breach last year. The average number of consumer records exposed in each breach was about 33,000, but the number of records affected in each incident ranged from fewer than 4,200 to more than 113,000. Eighty-four percent of the companies surveyed had experienced at least one data breach or loss prior to 2008, said Larry Ponemon, the institute's founder.

The study measured the direct costs of a data breach, such as hiring forensic experts; notifying consumers; setting up telephone hotlines to field queries from concerned or affected customers; offering free credit monitoring subscriptions; and discounts for future products and services. The survey also sought to measure more intangible costs of a data spill, such as the loss of business from increased customer turnover and decreases in consumer trust of the breached entity's brand.

Following a data breach disclosure, customers who leave one brand for another, known as customer churn, was the highest among health care and financial services companies, according to the survey which found rates of 6.5 percent and 5.5 percent respectively.

"Some of the best news out of this survey is that churn is really happening," Ponemon said. "People really do care when organizations screw up and lose their data."

The Ponemon cost estimates did not include the effect of a breach on the company's stock price, which in some cases can be substantial.

Last month, when the nation's sixth largest credit and debit card processor -- Heartland Payment Systems -- disclosed a breach that could affect millions of customers, the company's stock price took a nosedive. Shares of Heartland's stock lost 42 percent of their value the day after that disclosure, closing at a 52-week low of $8.18.

The study also does not measure the cost of intellectual property that is lost or stolen as a result of a data breach. At least 44 states and the District of Columbia have enacted laws that require an entity that exposes personal information on consumer to notify those affected. But Phillip Dunkelberger, chief executive officer with data encryption giant PGP Corp., which sponsored the study, said even if a breach does not force a company to notify consumers, the breach often exposes proprietary data that can jeopardize millions of dollars invested in research and development.

"The first thing companies say when they have a breach is 'Well, we'll implement encryption and data leak prevention technologies, and maybe do more training'," Dunkelberger said. "That's great, but what amount of brand damage has to occur in these public disclosures before we see changes made to the way companies handle not just consumers' personal information, but also the intellectual property that drives their businesses?"

Gerhard Watzinger, executive vice president of corporate strategy and business development at McAfee, said the incidence of high profile data breach disclosures over the past year are pushing more companies to invest in data leak prevention technologies. McAfee estimates that data theft and breaches may have cost businesses worldwide as much as $1 trillion last year.

"We're seeing a shift in attitude about these preventative technologies from one of a cost-center to being a potential revenue-generator," Watzinger said. "With all of these well-publicized data breaches, companies are finding out how expensive it is to repair things after the fact, because the pain organizations suffer from a data breach now is pretty high."

Update, 1:30 p.m. ET: Added perspective from McAfee. Also, an earlier version of this story incorrectly attributed to the quote to former McAfee expert Gerhardt Eschelbeck.

By Brian Krebs  |  February 2, 2009; 11:27 AM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Google: This Internet May Harm Your Computer
Next: Report: Most Spam Sites Tied to Just 10 Registrars

Comments

That's "Tucson", not "Tuscon"!

Posted by: ww3lstep | February 2, 2009 11:58 AM | Report abuse

fixed. tx w33.

Posted by: BTKrebs | February 2, 2009 12:00 PM | Report abuse

Most companies enjoy “security” insofar as they haven’t been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – absent new eCulture, breaches will, and continue to, increase. For example: Microsoft patched for the worm affecting Heartland 4 months ago. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.

Posted by: johnfranks999 | February 2, 2009 12:49 PM | Report abuse

Most companies enjoy “security” insofar as they haven’t been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – absent new eCulture, breaches will, and continue to, increase. For example: Microsoft patched for the worm affecting Heartland 4 months ago. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www dot businessforum dot com/DScott_02 dot html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.

Posted by: johnfranks999 | February 2, 2009 12:50 PM | Report abuse

At the risk of sounding like the "consultant" that I am, lack of IT security solutions is not the fundamental problem within most organizations. Even the 23 year-old kid hunkered down at the prison-like data center in yesterday's tee-shirt understands that a failure on his or her part could lead to what is apparently a $6MM or so problem. Further, many of the organizations responsible for the end-security or storage of financial information and PII don't have anything close to $6MM in cash to cover the potential liability. Yet, solutions are available-- ranging from IT security to vendor management to cyberliability insurance. 5% of that $6.6MM will buy you $15MM in insurance from the London markets, but here's the catch: CIO's are not talking to their CFO's; GC's are not talking to their CIO's; and CFO's are not taking the time to appreciate the overall costs associate with protecting their biggest asset: BRAND. If not brand, well then, privacy breach notification costs. it's a shame, really, watching companies go down over these incidents. We're long since in the age of the information superhighway, but nobody has insurance to cover the data breach fender-bender.

For comments, Ms. Smith may be reached at JSmith@Lockton.com.

Posted by: jsmith5 | February 2, 2009 1:10 PM | Report abuse

why does the press mindlessly regurgitate unsubstantiated numbers as fact?

Do you really believe that in 2007 cybercrime costs $1 Trillion US dollars? Just to give some perspective the US GDP was ~$14trillion, and that includes everything...and do you really believe that every record compromised cost $202?

If you look at the information known about Hannaford and TJX, 2 highly visible breaches, it is difficult to come to any number greater than about $10 per record - still high, but no where near the FUD factor of $202/per record touted by the Ponemon study.

Posted by: AmritWilliams | February 3, 2009 2:38 AM | Report abuse

Before you criticize the survey too much, look at the cost break downs. The $202 is made up of detection ($8), notification ($15), post response ($39), and lost business ($139). With lost business being 70%, do you believe that business disappeared or did it move to a competitor? If it moved to a competitor, it probably didn't negatively effect GDP.

I also viewed the detection money as sunk costs. This structure has to be in place, so the incident used the structure but probably didn't add to its cost.

The remaining two categories are notification and post response, which includes items such as credit monitoring. $54 sounds high but this is what the companies in the survey reported.

Something else to consider is the number of records in the reported breaches. A small breach doesn't divide overhead as much. It also doesn't provide leverage to obtain a discount on bulk credit monitoring, address verification (necessary when you don't have addresses), etc.

My own experience tells me the $54 would probably be on the high side for my organization but $10 is unbelievably low.

Posted by: mwr2 | February 3, 2009 12:36 PM | Report abuse

Any company not doing whatever it takes to make the necessary investments in security will eventually be outed by the criminal hacker. Its not a matter of if, but when.

Study after study points towards organized webmobs attacking every aspect of information security from Application develoment to the Wild Wild Web. www.IDTheftSecurity.com

Posted by: Identity-Theft-Expert | February 4, 2009 8:03 AM | Report abuse

Exactly right. A company doesn't have the luxury to wait and see if they have a budget for digital security. If they don't step up to the plate eventually they will be taken down. It's more of a bottom line necessity when working with digital media online.

http://www.justaskgemalto.com

Posted by: ThomasWhitney | February 4, 2009 1:41 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company