Study: Cost of data breach in U.S. is highest world wide

A global study of data breach costs conducted by the Ponemon Institute finds notification laws have dramatic impact on the price tag

U.S. corporations who are unfortunate enough to experience a data breach face much higher costs than organizations in other parts of the world. That's according to research released today by the Ponemon Institute and sponsored by security firm PGP Corporation. The study is the first time the Institute, which conducts an annual study looking at breach costs, has undertaken a worldwide investigation.

A similar study released earlier this year by the Ponemon Institute looked at breach costs in the U.S.

The research calculated the average cost of a data breach globally at $3.43 million last year, the equivalent of $142 per compromised customer record. However, costs varied dramatically between regions, from $208 per lost record in the U.S., down to $98 per record in the UK. A total of 133 organizations, located in five countries - Australia, France, Germany, UK and U.S. - participated in the research, which was conducted in 2009, according to a release from the Ponemon Institute and PGP.

The report reveals that costs incurred in countries with data breach notification laws were significantly higher than in countries where no such legislation exists. For example, in the U.S., where 46 states have now introduced laws forcing organizations to publicly disclose the details of breach incidents, the cost per lost record was 43 percent higher than the global average. In Germany, where equivalent laws were passed July 2009, costs were second highest; 25 percent above the worldwide average. In Australia, France and the UK, where data breach notification laws have not yet been introduced, costs were all below the average.

"The over-arching conclusion from this study is the staggering impact that regulation has on escalating the cost of a data breach," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "The U.S. figures are testament to this and it's clear that, as and when breach notification laws are introduced across the rest of the world, other countries will follow the same pattern and costs will rise."

The report also looked at business lost as a result of a breach. Almost half (44 percent) of the incurred data loss expenses related to the cost of lost business, reflecting the added expense of consumer churn and the increased difficulty of attracting new customers in the wake of negative publicity. Again, costs varied dramatically between countries and were highest in the U.S., where the cost of lost business was on average equivalent to 66 percent of overall expenses, said the Ponemon Institute.

Strong CISO leadership helps costs fall

Where the organization's chief information security officer or equivalent took personal responsibility for managing the breach, costs fell in all five countries. However, CISO-managed events only occur in a minority of cases, with the majority of organizations either not employing a CISO, or not making them directly responsible for data breach incidents.

Also see What is a Chief Security Officer?

"Approaching the issue from a strategic perspective is the right way to go about addressing data breach," Ponemon told CSO. "You can't simply check compliance boxes, or throw technology at the issue and expect the problem will take care of itself. Instead, organizations must understand that technologies have to be part of a comprehensive strategy that takes into account the purpose for collecting data, policies for managing data throughout the entire lifecycle, enforcement of policies, training and awareness, and the development of contingency plans for when things go wrong, to name a few. This is why we have also seen that organizations with a CISO/CSO do a much better job managing data, avoiding incidents, and responding more effectively to incidents when they occur. Capable leadership ensures that the strategy is in place, that execution is according to plan, and that the organization is prepared to deal with and respond to threats and contingencies. "

Join the discussion
Be the first to comment on this article. Our Commenting Policies