Survey: Data breach costs surge

The costs associated with high-profile data breaches are skyrocketing, according to a survey of companies that recently experienced customer data loss.

A breach may expose a flaw in implementation, or a hole that can be addressed through training, but not necessarily a need for new direct investments. Larry Ponemon chairman and founderPonemon Institute

Data breaches cost companies an average of $182 per compromised record, a 31% increase over 2005, according to the survey conducted by the Elk Rapids, Mich.-based Ponemon Institute.

Ponemon studied 31 companies that experienced a data breach. The total costs for each loss ranged from less than $1 million to more than $22 million, according to the 2006 findings.

Costs resulting from a data breach can include printing and postage of notification letters, hiring a law firm to address legal issues, offering credit monitoring subscriptions to customers, implementing a customer support hotline and contract call center, as well as customer defections.

IT had no direct costs other than to put subsequent preventa¬tive measures in place, the survey said. The costs were borne primarily by marketing to avoid customer turnover and customer support.

"IT costs tend to be made up front as a preventative measure, so the bulk of an organization's security needs and subsequent IT investment will, by necessity, already have been made," Larry Ponemon, founder and chairman of the Ponemon Institute, said in an email interview. "A breach may expose a flaw in implementation, or a hole that can be addressed through training, but not necessarily a need for new direct investments."

The study also uncovered a lack of appropriate planning for a data breach. IT executives or IT security officers were responsible for breach response in 53% of incidents, but one third of those surveyed said there was no single group responsible for a breach response.

More on data breaches: Survey: Data breaches difficult to spot, prevent The cost of privacy safeguards Podcast: Larry Ponemon on data breaches Privacy breaches: How to avoid making headlines Giving notice: Victims lashing out at compromised companies What keeps information security professionals up at night?

"A number of recent studies we've conducted have revealed an appalling lack of accountability where data protection and response is concerned," Ponemon said. "We believe assigning responsibility for security and response is an essential element to effective data protection."

In addition, more data may be at risk, as more companies contract with external partners, consultants, outsourcers or contractors. The survey found that almost 30% of all reported breaches originated with outside sources, such as contractors.

"It's difficult to compare right now as we've only been doing this analysis for two years, but it's safe to say that the more data travels, and the more people that have access to data, the more risk there is for exposure," Ponemon said. "It's not enough to assume a partner is doing the right thing. Companies have a responsibility to conduct due diligence with their partners and confirm they meet strict operational standards."

According to the study, regulations in more than half of all U.S. states require that customers be notified if their confidential or personal data has been lost, stolen, or compromised. The only "safe harbor" exception exempting organizations from the notification requirement is for data held in an encrypted form when lost.

The goal for many companies is to put data detection and encryption software in place to align information protection with corporate security policies and regulatory mandates, according to the study. Security best practices can be automatically enforced without relying on individuals to do so and without altering the network environment or email user behavior.

Companies should focus on preventing a breach and have a plan in place to reduce the cost of exposure if a breach takes place, as well as knowing what customers to notify so customers aren't over notified, said Steve Roop, vice president of products at San Francisco, Calif.-based Vontu Inc. Vontu cosponsored the report with Palo Alto, Calif.-based PGP Corp.

"It's all about risk mitigation and risk reduction," Roop said. "Technologies need to make end users more aware of security best practices, because employees need to know what the security policies of an organization are and if they are mishandling data."