Data Breach Report: Malicious Attacks Doubled in 2009Average Cost of a Breach is Now $204 Per Record
These are the headlines from the 5th annual "Cost of a Data Breach" study by the Ponemon Institute.
The study shows that the total cost of a data breach rose to $204 from $202 per compromised record. Dr. Larry Ponemon, President and CEO of the Ponemon Institute, says the increase is a "big deal" because it shows that data breaches continue to be a costly event for all organizations. The Ponemon Institute is a privacy and information security research firm based in Traverse City, MI.
According to the latest study, of the $204 associated with compromised records, $144 is linked to indirect costs including abnormal turnover or "churn" of existing and future customers. Ponemon says this compares to 2009's average per victim cost of $202, with an average indirect cost at $152 per breach victim. This year direct costs rose to $60 from $50 in 2009.
The study does not try to draw definitive conclusions, Ponemon says, but looks at broad trends. Data breaches have three root causes: third party mistakes, malicious attacks, or a negligent insider or systems glitch. Ponemon notes that 42 percent of all cases in the study involved third-party mistakes or flubs. These breaches are the most expensive, especially if they occur offshore, he says. "This could be because more investigation is needed, along with consulting fees."
The number of malicious or criminal attack-related breaches was 24 percent -- double the 12 percent of the 2009 study. "They are the most costly, and the types of attacks we found included botnet attacks and data-stealing malware," Ponemon says. "There is more to worry about because I see this as a growing category. This number of criminal attacks will continue to increase in the foreseeable future."
The cost of a malicious breach ($215) is higher than that of a negligent insider or systems glitch, which average $154 and $166.
This study does not include those "catastrophic" data breaches such as Heartland or TJX, says Ponemon. "We're looking at a cost model that is comparable for big data breaches, but not catastrophic data breaches such as Heartland or TJX," he notes. The comparison would skew the results to a much lower number. "Trying to compare a catastrophic data breach's numbers with a regular data breach would be like trying to compare the budgets of the United States to Haiti's," he adds. A data breach in this study ranges from 5,000 records, but less than 101,000 records.
'Churn' Is Driving Cost Up
One of the driving costs of data breaches is the loss of business that comes as a result. Abnormal churn or turnover rates of customers resulting directly from a data breach is slightly higher than last year, (up from 3.6 percent to 3.7 percent in 2010). The industries with the highest churn rates are pharmaceuticals, communications and healthcare (6 percent); then financial services at 5 percent.
The industries with the lowest abnormal churn rates are manufacturing, energy and media (below 1 percent), followed by technology and retail (2 percent), Ponemon says. While financial services is in the middle of the pack when looking at churn rates, he warns that this number may not be measurable for financial institutions. "In our model, we can't do an absolute churn for financial services. In our study, the move away from an institution that has suffered a breach is less noticeable right away."
For example, if a bank tells a customer that they've lost their data because of an online banking breach, the customer may move away from doing online banking with that particular bank. "So the customer may not move accounts right away, but by moving their online banking activities to another bank, the breached bank has lost them as an online customer. Slowly, that second bank becomes their primary bank," Ponemon explains.
Other reasons that the costs are going up include media coverage. "Media also drives cost, but also we find that people still care deeply if no major media covers it and they just get a notification letter," Ponemon says. "People still care very deeply if they are a victim of a data breach."
While the lion's share of cost is the loss of business, another major portion is the "post-breach" costs, including all the things that a company does to respond to inquiries from customers, all the provisioning of credit monitoring, and legal and public relations costs that come with a breach.
Ponemon notes that the legal defense cost increased this year. "Usually, it was a compliance cost, but more companies are gearing up to defend themselves against lawsuits that come after a breach," he observes.
To hear more from Ponemon on the latest study, listen to this podcast interview.
To read the full Ponemon "Cost of a Data Breach" study, go to: www.encryptionreports.com