Data Breaches Cost U.S. Companies More Than Others


It cost U.S. companies more than twice as much to deal with and resolve a data breach than their counterparts in England, according to a global survey of more than 133 companies and organizations in five countries.

According to the study, conducted by the Ponemon Institute and PGP Corp., the average data breach in 2009 cost U.S. companies about $204 per record compromised, compared to just $98 per record in the United Kingdom.

The disparity in costs directly correlates to the amount of regulation companies encounter in each country and, therefore, the amount of money each organization has to shell out in attorney fees and fines imposed by state laws.

Earlier this month, Mississippi became the 46th U.S. state to pass legislation requiring businesses and government agencies to immediately notify people when their personal information has been compromised by either an accidental or deliberate data breach.

Equivalent data breach notification laws in Germany were enacted in July 2009 and companies in that country spent an average of $177 per record to resolve security incidents.

Meanwhile, costs were much lower for companies based in Australia, France and the UK where data breach notification laws have yet to be approved or introduced.

"The overarching conclusion from this study is the staggering impact that regulation has on escalating the cost of a data breach," Larry Ponemon, chairman and founder of independent security researcher The Ponemon Institute, said in the report.

"The U.S. figures are testament to this and it's clear that, if and when breach notification laws are introduced across the rest of the world, other countries will follow the same pattern and costs will rise," he added.

In the UK, where only public sector and financial organizations currently face regulatory pressure to disclose breaches, costs were lowest: 45% below the global average, and equating to less than half the expense incurred by U.S. firms.

According to the report, the total cost of a data breach in the United States averages $6.75 million, compared to $3.44 million in Germany, $2.57 million in the UK, $2.53 million in France and $1.83 million in Australia.

Almost half of the costs absorbed by companies in all the countries were directly related to the cost of lost business, with the U.S. checking in atop the list at 66 percent.

The study also found that 35 percent of all breaches involved outsourcing to third-parties, and another 35 percent were traced to malicious or criminal attacks.

"It doesn't matter where they're located, if a company gains a reputation for being careless with confidential data, the brand will suffer," Phillip Dunkelberger, CEO of e-mail and data encryption security software provider PGP Corp., said in the report.

"Data is currency. It needs to be protected," he added.

An earlier study by the Ponemon Institute and PGP found that U.S. companies spent an average of $6.75 million to resolve major data breach incidents in 2009.

Larry Barrett is a senior editor at, the news service of, the network for technology professionals.