By
Thomas Claburn
29 November 2007 02:58PM
Tags:
cost | data | loss | rises
Losing customer data cost companies more this year than last..
According to a study conducted by the Ponemon Institute, an independent information practices research group, data breaches cost businesses an average of US$197 per customer record in 2007, up from US$182 in 2006.
The average total cost for a data breach in 2007 was US$6.3 million, up from US$4.8 million in 2006.
The study suggests that lost data translates to lost business opportunity. This mainly comes in the form of customer churn and customer acquisition costs, which rose from US$98 per record in 2006 to US$128 in 2007 -- a 30 percent increase.
Other costs include reputation management and customer support costs such as information hotlines and credit monitoring subscription for victims.
"In the past, there hasn't been the evidence to say that people are losing customers due to a breach," said John Dasher, director of product management for encryption technology company PGP Corporation. "I think that's changing."
Dasher attributes this to greater awareness of security issues and less tolerance of security issues on the part of the public.
The study found outsourcing to be a significant and growing source of risk. Breaches attributable to third-party organisations -- outsourcers, contractors, consultants, and partners -- were reported by 40 percent of respondents, an increase of 29 percent from 2006.
And in such cases, the breaches were more expensive, costing companies an average of US$231 per customer record lost, compared to US$171 when no third-party was responsible.
"If you outsource and there's a data breach your costs are more than if you didn't," said Dasher, who sees this as a consequence of IT trying to do more with less. "The outsourcers themselves appear to not be immune to poor security practices."
Legal costs associated with data breaches and public relations costs rose 8 percent and 3 percent respectively of total breach costs, according to the study.
The study indicates that laptops, thumb drives and mobile devices account for 49 percent of all breaches in the 2007 sample. About 18 percent of data breach incidents were attributable to a malicious attack (a virus or spyware, for example) or a malicious insider.
The study's findings aren't all bad news: The cost of data breach notification dropped by 15 percent. Dasher attributes this to organisations being more focused in their response.
PGP Corporation and data loss protection company Vontu (recently acquired by Symantec) sponsored the study. Both companies make products designed to mitigate data breach risks.
The study is based on analysis of 35 data breach incidents in the U.S. which range in scope from losses of fewer than 4,000 records to more than 125,000 records.
More than 216 million customer records have been exposed or lost in data breaches since 2005, according to Privacy Rights Clearinghouse, a privacy advocacy organisation.
In late October, the U.K. government acknowledged losing data on more than 25 million of its citizens.
The Ponemon Institute plans to release a study of U.K. data breaches in January.
See original article on InformationWeek.com