For the fifth year in a row, data breach costs have continued to
rise, according to a study documenting how businesses are impacted by
data breaches. They continue to cost organizations more every year,
with the average organizational cost of a data breach this year
increasing to $7.2 million, up seven percent from $6.8 million in 2009.
Total breach costs have grown every year since 2006, the report noted,
and data breaches in 2010 cost their companies an average of $214 per
compromised record, up $10 (5 percent) from last year.
The 2010 Ponemon Institute benchmark study, sponsored by Symantec
Corporation, examined the costs incurred by 51 organizations after
experiencing a data breach. Results were not hypothetical responses;
they represent cost estimates for activities resulting from actual data
loss incidents. Breaches in the study ranged from nearly 4,200 records
to 105,000 records from 15 different industry sectors.
For the second straight year, abnormal churn or turnover of
customers after data breaches appeared to be the dominant factor in
data breach cost. The report noted regulatory compliance contributes to
lower churn rates by boosting customer confidence in organizations’ IT
security practices. Average abnormal churn rates across all 51
incidents stayed level at four percent. The industries with the highest
2010 churn rate remained pharmaceuticals and healthcare (both up a
point to seven percent). The industries with the lowest abnormal churn
rates were public sector (less than one percent) and retail (one
percent).
Breaches involving lost or stolen laptop computers or other mobile
data-bearing devices remain a consistent and expensive threat, the
report found. The prevalence of breaches concerning mobile devices
holding sensitive data stayed roughly the same at 35 percent this year,
down a point. Per-record costs rose $33 (15 percent) to $258 per
record. The research suggested that device-oriented breaches have
consistently cost more than many other breach types. “This may be
because investigations and forensics into lost or stolen devices are
more difficult and costly,” the report said.
The number of breaches attributed to negligence edged up a point to
41 percent. Breaches from negligence in 2010 averaged $196 per record,
up $42 (27 percent) from 2009. The report said the relatively stable
incidence of negligence may indicate that ensuring employee and partner
compliance remains an ongoing challenge. “These figures may reflect the
growing prevalence and cost of malicious breaches, as well as
organizations’ growing competency in handling breaches from systems
failures and negligence,” the report noted.