In its study of 43 companies that suffered a data breach last year, the Ponemon Institute found the total cost of coping with the consequences rose to US$6.6 million per breach, up from $6.3 million in 2007 and $4.7 million in 2006.
The cost per compromised record in 2008 rose 2.5 percent over the year before to $202 per record, according to the study being released Monday.
"Each company is like a case study," said Larry Ponemon, head of the research group, noting that these 43 companies volunteered to participate in the study, which doesn't reveal their names.
But the study, which was sponsored by security vendor PGP, makes some findings about these companies struggling with the fallout of a data-breach incident, which often is publicly reported due to state regulations requiring notification of individuals if their confidential personal data has been lost, stolen or compromised.
"For the majority of our companies, it was not their first time," said Ponemon about the 43 U.S.-based companies in the 2008 data-breach study. "84 percent of the cases were repeat offenders, and only 16 percent were new."
He adds the first-timers found a data breach to be more expensive. According to the study, the first-timers found themselves coughing up $243 per record, while for experienced companies, costs were held down to $192 per victim record.
There are some distinct consequences of a data breach, especially in healthcare and financial services, Ponemon notes. In these two industries more than others, customers notified of a data breach are more likely to discontinue association with companies that failed to secure sensitive data about them.
Despite headlines about lost and stolen data, "What continues to amaze me is that you'd think that people would be indifferent to a data-breach notification, but people continue to care a lot," Ponemon said.
While the average customer "turnover" or "churn" due to a data breach was generally 3.6 percent, in healthcare it was a much higher 6.5 percent and in financial services 5.5 percent. And the cost of a healthcare breach, at $282 per record, was more than twice as high as that of the average retail breach at $131 per record.
In other findings, the Ponemon study said 88 percent of all the cases for 2008 were traced back to insider negligence. The survey also showed that 44 percent of data breaches occurred due to external causes involving third parties, an increase from 40 percent in 2007 and 29 percent in 2006, the Ponemon report states.
A third-party breach is defined as third-party professional services, outsourcers, vendors and business partners that were in possession of the data and responsible for holding it.
Costs for a data breach mount up because of lost business and legal defense, which grew in 2008, while costs of customer support, notification and free services such as credit monitoring decreased, according to the study.
The most-cited steps that companies took following a breach included training and awareness programs more manual procedures and controls expanded use of encryption identity and access-management deployments and data-loss prevention products.
Network World (US)