The report, sponsored by encryption firm PGP, assessed the costs of activities resulting from more than 100 data breach incidents affecting organizations in the United States, U.K., Australia, France and Germany. Breach costs were much higher for organizations located in countries with notification laws, such as the United States, according to the study.
In the United States, where 46 states have enacted laws mandating customers be alerted if their personal information has been exposed, breach costs were 43 percent higher than the global average.
“In the U.S., we have strict state notification laws,” Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazineUS.com on Monday. “Notification over time has become part of what we do. In other countries, there might not be mandatory notification.”
The global average cost of a data-loss incident was $3.43 million last year, or $142 per compromised record. The average cost for U.S. organizations was $6.75 million or $204.
“That's a pretty healthy sum of money to have to commit to something you didn't anticipate,” Ponemon said.
In Germany, which in 2009 passed an amendment to its Federal Data Protection Act requiring organizations to publicly announce breaches and notify victims, costs were second highest at $3.44 million, or $177 per lost record.
In comparison, in the U.K., where only public-sector and financial organizations are mandated to disclose breaches, such incidents cost $2.57 million, or $98 per record lost, which is 44 percent lower than the global average and less than half the expense incurred by U.S. organizations. In Australia and France, which currently lack data breach notification laws, costs also were below average.
“It's perhaps no surprise that, in the U.S., where data protection laws are both stringent and mature, the financial fallout of a breach is at its most severe," Jonathan Armstrong, technology lawyer at Duane Morris, said in a statement. "However, the relatively low levels of expense incurred by British firms may raise a few eyebrows. With the U.K. Information Commissioner's Office [an independent privacy watchdog organization, sponsored by the British Ministry of Justice] toughening its stance on data protection, imposing hefty fines and scrutinizing more and more organizations, it will be interesting to see how steeply U.K. costs rise in the future.”
Researchers believe that as other countries enact breach notification laws, costs associated with such incidents will increase, according to the report.
Lost business was universally the greatest contributor to costs associated with breach incidents, accounting for 44 percent of costs. The cost of lost business was higher than average for U.S. firms, accounting for 66 percent of overall breach expenses.
Other costs included activities to detect and investigate the breach, to notify victims and to provide credit monitoring services. U.S. firms also paid more than those in other countries to notify breach victims – $15 per compromised record, compared to $10 in the U.K., $9 in Germany, $6 in France and $4 in Australia, the report showed.
