last year cost organizations $204 per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual "Cost of Data Breach" study released on Monday by the Ponemon Institute.
“I am surprised that the number keeps on going up,” Larry Ponemon, chairman and founder of the Ponemon Institute, told SCMagazineUS.com on Friday. “Even though it's a small amount, it suggests to us that people still deeply care about data breaches.”
The study, which examined the experiences of 45 U.S. companies that suffered breaches last year, also found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent in 2009. In addition, data breaches caused by malicious attacks cost organizations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches.
“For the first time, companies participating in the study reported that data-stealing malware caused their breaches,” the study reported.
More commonly, however, the report stated, 42 percent of all data breaches last year resulted from third-party mistakes. And, 36 percent of breaches involved lost or stolen laptops or other mobile devices.
The most expensive data breach included in this year's study cost one organization nearly $31 million to resolve, and the least expensive breach cost $750,000. Lost business makes up the largest portion of breach costs, totaling $135 per record lost on average, a slight decrease from $139 in 2008, the study found. Ex-post response activities, which include providing credit monitoring services and other assistance to breach victims, cost $46 per record last year, up from $39 in 2008.
“One of the main reasons for an increase in ex-post response costs is due to the increase in legal defense costs,” the study said. “This can be attributed to increasing fears of successful class actions resulting from customer, consumer or employee data loss.”
Other data breach costs include activities that enable organizations to detect the breach, which totaled $8 per record on average last year, and costs to notify breach victims, which totaled $15 per record.
Notifying breach victims too early, however, may raise total breach costs. Those who notified breach victims within one month paid $219 per record exposed, on average, versus $196 paid by those who waited longer.
“Companies striving to make a deadline, sometimes cut corners on forensics,” Ponemon said, adding that doing so can result in over-reporting the extent of the breach, which can be very costly.
Companies which have experienced a breach need to provide timely communication, but also must take enough time to fully investigate the breach to determine who is harmed, how it happened and how to remediate the problem, the Ponemon report said.
Another finding was that having a CISO, or equivalent position, could decrease data breach costs by 50 percent. Companies with a CISO paid $157 per compromised record, on average, compared to those which did not have a CISO. They paid $236 per compromised record.
Companies with a CISO fare better after breaches because they have security strategies in place to protect the company's assets and to respond to such incidents, Tim Matthews, senior director of product marketing at encryption firm PGP, which sponsored the study, told SCMagazineUS.com on Friday.
“A CISO can be a focal point and leader,” Matthews said. “Response costs and coordination could be cheaper with someone in that role.”
Besides having a CISO, organizations should consider using encryption technology to help protect data, the study said.