Counting the cost of data breaches

I’m always fascinated by the outcome of attempts to quantify the cost of data breaches. The Ponemon Institute have recently published the results of surveys, sponsored by PGP, carried out in the US and UK. These figures are worth noting, as the Ponemon Institute research is much more thorough and reliable than the quick market surveys by vendors that we often see reported in the media.

The US Study analysed data breaches in 43 organizations across 17 different industry sectors. It found that data breach incidents cost companies an average of $202 per compromised customer record in 2008, a small increase on last year’s figure. The UK Study covered data breaches in 30 organisations. It found that the total average costs of a data breach have now grown to £60 per record compromised, with the average total cost per reporting company rising to more than £1.73 million per breach. In both studies, lost business continued to be the most costly effect of a breach, around half the overall cost. Not surprisingly, internal negligence is the main factor in breaches.

It’s interesting to note the large difference in UK and US costs. I’m not sure why this should be. Perhaps it reflects a greater knee-jerk reaction by US firms, their lawyers and customers following a high profile breach? 

The studies continue to indicate a positive correlation between the number of records lost and the cost of an incident. But some caution in interpretation is needed. Firstly, not all costs scale linearly, so don’t assume that the cost per record from a 40,000 record breach will be the same as for a 40,000,000 record breach. Secondly, many aspects of a breach, such as the cost of lost business, cannot be measured precisely. And thirdly, the cost of lost future business depends heavily on how well the incident is managed. TJ Maxx did it very well and they came out on top. Not everyone can do that.

The last point explains the contradiction pointed out by John Leyden in his report in The Register. In my view he is wrong to question how much weight can be placed on these figures. On the contrary, these figures are well researched and largely make sense to me.