Data Breach Costs Surge in 2009: Study

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Data breach incidents cost companies an average of $6.75 million each time, according to a new study released by security researcher The Ponemon Institute and PGP Corp., an e-mail and data encryption security software developer.

And while the study found that the total number of reported data breaches declined from 657 incidents in 2008 to 498 last year, the average cost inched up from $202 to $204 per customers record.

The firms' joint U.S. Cost of Data Breach Study chronicles a wide range of cost factors, including the outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss and reputation management.

The $6.75 million cost per incident was slightly higher than the $6.65 million enterprise clients shelled out in 2008. Those figures include the costs associated with customer support such as information hotlines and credit monitoring subscriptions.

"In the five years we have conducted this study, we have continued to see an increase in the cost to businesses for suffering a data breach," Larry Ponemon, chairman and founder of The Ponemon Institute, said in a statement. "With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach."

As banks, insurance companies and universities continue to report new data breaches on a weekly basis, IT administrators are investing more in security applications and processes that help keep sensitive data out of the reach of their own employees and third-party vendors and partners.

The study found that negligent insider breaches have decreased in number and cost, most likely the result of increased training and awareness programs. Also, 58 percent of enterprises have expanded their use of encryption, up from 44 percent last year.

"The data from the Ponemon Institute matches what we've seen in our own research, which found that more than half of IT managers are largely unaware of employee access rights to systems," Todd Chambers, chief marketing officer of identity and access management software developer Courion Corp., said in an e-mail to InternetNews.com.

"This problem is still rampant and it is expensive," he added. "Until organizations take steps to create consistent access policies and implement technologies that give them visibility into whether data is being accessed appropriately, these numbers will remain elevated and continue to impact the bottom line."

Third-party organizations accounted for 42 percent of all breaches last year, down from 44 percent last year. Ponemon researchers said these third-party incidents are the most expensive to deal with because of the extensive investigation and consulting fees associated with them.

The most expensive data breach event included in this year's study cost a company nearly $31 million to resolve while the least expensive breach cost $750,000.

Researchers formulated the report from detailed analyses of 45 data breaches in which 5,000 to 101,000 records were affected from a variety of industries including retail, healthcare, manufacturing, entertainment and education.

Larry Barrett is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.