Breach, Data Security, Encryption, Incident Response, Network Security, TDR

Annual study reveals cost of a data breach keeps climbing

Data breaches cost organizations $202 per exposed record last year, a 2.3 percent increase over 2007, concluded the fourth annual Ponemon Institute study released on Monday.

The study, which examined the repercussions felt by 43 U.S. companies that suffered breaches last year, also revealed that lost business makes up nearly 70 percent of breach costs, up from 54 percent just two years ago. The average rate of churn -- defined as the rate by which customers cease doing business with the breached firm -- was 3.6 percent, up from 2.7 percent in 2007 and two percent in 2006.

Financial services firms and health care organizations were the most susceptible to customer attrition following a data-loss incident, experiencing churn rates of 5.5 percent and 6.5 percent, respectively, according to the study. Meanwhile, the average cost of a health-care breach was $282, about $150 more than the average retail breach.

Phil Dunkelberger, CEO of encryption firm PGP, which sponsored the study, said the churn rates show that customers are increasingly dissatisfied with companies that fail to safeguard their information.

"The news is that...with all these compromises going on, when are [organizations] going to get the message that people want their data protected?" he told SCMagazineUS.com. "If you're having a data breach at this point, it's not because, 'Wow, we didn't know.'"

Forty-four percent of respondents said the breaches were caused by third parties, such as outsourcers, contractors, consultants or other partners. That number is up from 40 percent in 2007 and 21 percent in 2005.

"Organizations should closely evaluate the enterprise data protection policies and systems used with and by third-party outsourcers or consultants," the study said, adding that the security of on-demand services also needs to be closely observed.

Companies said they are trying to fix the breach threat by increasing awareness training and instituting measures such as encryption, identity and access management and data-loss prevention, according to the study.

"The data is showing that unless you've got a core strategy, your business is at risk," Dunkelberger said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.