Companies that are reluctant to invest what it takes on data security better be prepared to pony up a lot more if their systems are ever breached.
That’s the main take-away from a new report released by the Ponemon Institute LLC, which shows that the average cost of a data breach to companies is continuing to increase.
Ponemon said the breaches from last year that it studied cost an average of about $202 for each compromised customer record.
That is 46 per cent higher than the $138 per record that Ponemon cited in its first annual report on breach costs, for 2005.
The average cost had previously increased to $182 in 2006 and $197 in 2007, according to Ponemon.
The cost-per-record figures include direct expenses for breach detection, mitigation, notification and response efforts, as well as indirect costs, such as the financial impact of customer defections and lost business opportunities.
Ponemon said the average overall cost of the breaches covered in the new report was more than $6.6 million, with individual companies reporting costs that ranged from $613,000 to almost $32 million.
The report was based on a study of breaches at 43 large companies from 17 different industries. The number of customer records that were compromised in the breaches ranged from less than 4,200 to more than 113,000.
Those figures are much lower than those associated with the most-publicized breaches, which involve compromised records numbering in the millions, but they’re in line with the number of compromised records involved in the types of breaches that companies are typically hit by.
Increasingly, the biggest cost to companies that suffer data breaches is lost business, said Larry Ponemon, chairman of the Elk Rapids, Mich.-based think tank.
He added that about $139 of the average per-record breach cost – or 69 per cent of the total – was in the form of lost business last year, while other costs declined.
That statistic indicates that although companies are getting better at detecting and responding to data breaches, customers are becoming less tolerant of breaches and showing a growing willingness to take their business elsewhere, Ponemon said.
In the wake of breach reports, “we found customer churn rates actually going up,” Ponemon said. “People do care deeply about data being stolen.”
That concern was especially evident, he noted, in breaches involving financial services firms and health care organizations, because the data involved in such compromises is often more sensitive than the information at other types of companies.
For instance, the customer-defection trend doesn’t appear to have manifested itself in a big way in the retail industry. As an example, the massive breach disclosed in January 2007 by The TJX Companies Inc. was expected to have a dramatic impact on customer trust in the company.
But in the quarter immediately after the disclosure, TJX reported one of its strongest-ever financial performances. And in the first year after the breach came to light, the retailer’s stock price remained largely unaffected, while its same-store sales increased 4 per cent.
Ponemon said the new study also showed that breaches end up costing significantly more for companies that are experiencing them for the first time than they do for companies that have suffered previous data compromises.
The same is also true, he noted, for breaches involving third parties. On average, such breaches ended up costing companies about $231 per compromised record, based on the study.
John Pescatore, an analyst at Gartner Inc., said the numbers released in the Ponemon study were somewhat similar to Gartner’s own cost estimates for relatively small breaches involving up to 100,000 customer records.
“Basically, $202 per account is right in the ballpark,” Pescatore said. “It’s a little lower than what we’ve seen,” but not by much.
But, he added, that figure is “way high” for large-scale breaches involving millions of customer records, such as the one at TJX.
That’s because some of the costs associated with a breach, such as the expense of detecting and mitigating a systems intrusion, may not increase significantly as the number of customer records grows larger and larger.
A number of variables can affect the actual cost of breaches, Pescatore said. For instance, certain kinds of breaches, such as those involving Social Security numbers, may require companies to offer credit monitoring services to affected customers, while others don’t.
Similarly, if a breached company had encrypted its data, it might not need to spend as much on breach notification costs as businesses with unencrypted information do.