Despite growing compliance requirements and increased state-by-state adoption of breach notification laws, the cost of a data breach continues to rise, according to The Ponemon Institute’s 2007 Annual Cost of a Data Breach study, sponsored by PGP and Vontu. Companies reported spending $197 per compromised record, an increase of 8 percent over last year.
The study examined the breach response activities of 35 companies known to have experienced a breach involving the loss of personal data during the year, according to John Dasher, director of product management at PGP. Those organizations spent an average of $6.3 million per breach. Sixty-five percent of that was attributed to lost business, compared to 54 percent in 2006, according to the study. That’s an average of $4.1 million, or $128 per compromised record, in business losses alone.
The number of customers who quit doing business with a company after a breach is partially to blame: In 2007, the churn rate attributed to a breach was 2.7 percent, as opposed to just over 2 percent the year before. That kind of turnover results in decreased revenues and higher costs associated with increased marketing to acquire new customers.
Breach incidents involving third-party organizations such as outsourcers, contractors, consultants and business partners are also on the rise. Forty percent of respondents reported breaches by third parties, an increase of 11 percent over last year. Such breaches are also more costly to the organization, averaging $231 compared to $171 per record. "That’s because they not only have to handle whatever problems they have behind their own four walls, but also have to work with their partner to help them fix their problems," says Dasher.
While data breaches cost more this year overall, some of the associated costs actually declined. Costs related to investigations, notification of impacted individuals and free credit monitoring decreased 15 percent over last year. Dasher thinks this is likely due to the fact that data breach response has matured. “It’s not so much because companies aren’t spending money in these areas, but that they are getting smarter about how they spend it." Companies used to be all over the map with how they responded to a breach, says Dasher. Now, rather than e-mail, call and send registered mail to the customer, they may choose only one of those options to get the message across. The decrease may also be an indication that organizations are learning from past breach experiences, says Dasher.
At the same time, legal defense and public relations costs have increased to 8 percent (3 percent of the total cost of a breach). According to Dasher, these numbers were not measured in previous years because they accounted for only a sliver of the overall cost. But now, given the fact that brand damage comes at such an increasingly high price, companies are trying to use PR as a way to mitigate the monetary loss associated with it.
Reach Associate Staff Writer Katherine Walsh at kwalsh@cxo.com.