A recent study relating to data security breaches in the United States shows that total per-incident costs are substantial. The average total per-incident costs in 2009 were $6.75 million, comprised of an average cost of $204 per customer with a jeopardized record.
PGP Corporation, an enterprise data protection company, and the Poneman Institute, a privacy and information management research firm, as part of their fifth annual U.S. Cost of a Data Breach Study, tracked a wide array of cost elements. These elements included outlays for detection, escalation, notification, and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs related to customer support like information hotlines and credit monitoring subscriptions.
"In the five years we have conducted this study, we have continued to see an increase in the cost to businesses for suffering a data breach," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute.
- Data breaches caused by malicious attacks and botnets were on the high end of severity and cost responses. These types of breaches doubled from 2008 to 2009.
- Data breaches involving data outsourced to third-parties, especially those offshore, remain very costly. This is because of additional investigation and consulting fees.
- Data breaches caused by lost, missing or stolen laptops tend to be more costly than other incidents. Breaches experienced by "first-timers" are more expensive than those encountered by companies that have learned to grapple with prior breaches.
The study shows that companies are spending more on legal defense costs in the area of data security breaches. This has been attributed to fears of potential class actions, and other lawsuits resulting from consumer and employee data loss. In fact, companies that engage outside expertise to assist them during a data breach incident tended to have a lower $170 cost per victim than companies that do not seek outside help at $231 per victim.
Furthermore, companies that have a Chief Information Security Officer (CISO) or equivalent high-level security/privacy leader in place who manages data security breach incidents experienced a 50% less per cost of compromised record than companies that do not have such leadership.