Data breach costs: £60 per record, says Ponemon

As the costs of a data breach increase, consumers have begun to shy away from insecure companies.

Greater public awareness of security is forcing up the cost of an information security data breach, as customers choose to avoid companies they see as insecure.

An investigation into 30 data security breaches in the U.K. has shown that the loss of personal or financial information can damage businesses and make it harder for them to hang on to their customers.

The research, carried out by the Ponemon Institute, and sponsored by PGP Corp., is based on interviews with 30 U.K. companies in 10 industrial sectors that suffered a security breach. The study found that the average cost of a data breach is £60 per compromised record, a significant increase from last year, which calculated the damage at £47 per record.

The cases in the study ranged in size, affecting from 4,100 to 92,000 records, while the estimated cost to organisations varied from £160,000 to £4.8m.

The study found that more than half the cost was caused by a measurable loss of business resulting from a breach, with customers leaving, and greater difficulty in acquiring new customers. The researchers stated that "customers are increasingly prone to terminate their business relationship due to lost data, producing consistently higher abnormal churn rates."

The study also revealed that the cost was even higher (£67) where a third-party supplier was involved in the breach.

Costs associated with detection, escalation, and informing customers decreased slightly in 2008, which according to researchers suggests that businesses are improving their processes to uncover, manage and communicate data breaches.

Lost laptops were the most significant cause of a breach, and two-thirds of breaches were caused by some kind of mistake or accident rather than malicious intent.

More on data breaches

Government departments breach Data Protection Act principles Recent research uncovers a lack of basic privacy controls in the public sector.

Recovery plans essential for preventing data loss disasters
If you lose a laptop or USB stick that contains sensitive employee data, do you know what to do next?
"It echoes what we are seeing in the U.S. After a breach happens, churn rates can go up by 1% to 8%, and the cost of new customer acquisition will also rise," said Jamie Cowper, head of marketing for PGP. "They are two main indicators for lost business."

He said companies showed they could get better at managing a breach by having an emergency response plan in place. "We see in the U.K. that costs are down for detection, escalation and post-breach response. But what you can't control is consumers deciding they can't trust you with their mortgage, current account or online shopping."

Cowper added that the report underlined the need to manage outsourcing contracts better. "Companies need to think about how they manage outsourcing, and going forward, how they manage cloud computing. They need to know where their data is and how it is being managed."

Survey respondents identified encryption and identity and access management products as the top two technology responses following a data breach. Control practices and training and awareness programmes were cited as the top two manual processes.

"In just the second year of this U.K. study, research proves U.K. businesses continue to pay dearly for having a data breach," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute in a statement. "As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy."

Read more on Application security and coding requirements