Data Breach Costs Decline for First Time in Seven Years

In March, Ponemon Institute released the results of its seventh annual study concerning the cost of data breach incidents for U.S. companies.  The 2011 study examined costs incurred by 49 companies in 14 different industries after the companies experienced the loss or theft of personal information.  As required by state data breach laws, the companies had to notify breach victims.  Ponemon’s study findings do not apply to “catastrophic breaches” which would include data breaches of more than 100,000 compromised records.

Some highlights from the report are:

  • The cost of a data breach declined.  The cost to a U.S. company declined from $7.2 million in 2010 to $5.5 million in 2011, and the cost per record declined from $214 to $194.  This was the first time both costs have declined in the same year since the study began.
  • More customers remain loyal after a data breach than in previous years.
  • “Lost business costs” declined significantly from $4.54 million in 2010 to $3.01 million in 2011. In previous studies, the highest cost for lost business was $4.59 million in 2008 and the lowest was $2.34 million in 2005.  Lost business costs include customer churn and reputation losses.
  • The cost to notify breach victims increased in 2011’s study from approximately $510,000 to $560,000.
  • The study found that the overall cost of a data breach can be reduced based on organizational decisions like if, for example, the company has a Chief Information Security Officer (CISO), the cost drops as much as $80 per record.  Engaging external consultants during a breach response can reduce cost by as much as $41 per record.
  • Certain factors of the data breach can increase overall cost like the fact that data breaches caused by third parties or a lost or stolen device increased the cost by $26 and $22, respectively.  Companies that notified customers too quickly without completing a comprehensive investigation paid on average $33 more per record.  Companies that experienced their first ever data breach in 2011 spent on average $37 more per record.
  • Negligent insiders and malicious attacks are the main causes of a data breach. Surprisingly, 39% of companies participating in the study said that negligence was the main cause of the data breaches.  Malicious or criminal attacks account for more than one-third of the total breaches reported in the study.