Ponemon study: Cost, loss of customers rising per breach

Businesses that experience a data breach are paying more per lost record and are shedding customers at accelerating rates compared to last year, an annual study concludes.

The "U.S. Cost of a Data Breach" study, compiled by the Ponemon Institute and sponsored by PGP and Vontu, reveals that the average cost of a data-loss incident jumped this year to $197 per record, up from eight percent in 2006 and 43 percent from 2005.

The rise did not rival the 2005-2006 cost jump, due in part to companies getting a better handle on the notification process, the study's author, Larry Ponemon, founder and chairman of the Ponemon Institute, told today.

But contributors to the study said that the more surprising figure may be the amount of customer attrition that occurred following a breach. The study – which polled 35 cross-veritical companies that experienced a breach ranging in size from 4,000 records to 125,000 records – found that lost business now accounts for 65 percent of total breach costs, compared to 54 percent last year.

"That's huge," Kit Robinson, director of corporate communications for data-leak prevention provider Vontu (recently acquired by Symantec), told today. "That's something no company wants to deal with."

The rising number of defectors is particularly evident in the financial services industry, where consumers demand a greater level of trust, Ponemon said.

The average breach cost those businesses $239 per record, compared to $145 in the retail sector, where customers seem to have lower awareness, expectations and worries over data privacy, according to the study.

"People seem to care a lot about this," Ponemon said, adding that it does seem to affect their judgment of doing business with their bank or financial services company.

The study also highlighted a growing number of data-loss events caused by a company's third-party provider, whether it is a vendor, consultant or some other outsourcer.

"It tells me we're living in a wide open and virtual world, and a lot of companies are doing business that way," Robinson said. "They rely on partners. They have to exchange data to get work done."

Many of those third-party incidents were caused by lost or stolen laptops or other portable media storage devices, which accounted for 49 percent of the sampled data breaches, according to the study.

"One of the things companies need to think about is before they outsource or share data with third parties, they should verify the third parties have proper data security controls in place," Ponemon said.

The study also noted that the most common solution deployed following a breach is encryption, followed by data-leak prevention, identity and access management, endpoint security, security event management and perimeter controls.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.