Data breaches cost US companies $202 per compromised customer record in 2008, compared with $197 in 2007 – with the largest cost increase from lost business resulting from abnormal customer churn, according to the fourth annual US Cost of a Data Breach Study, writes Retailer Daily.
Since the study’s inception in 2005, the cost per compromised record has grown by more than $64 per victim – a nearly 40% increase.
The cost per customer for the retail industry was $131 in 2008, vs. the average of $202; the cost per customer for the “consumer products” industry was $184.
The average per-incident cost for affected businesses in 2008 was nearly $6.7 million, up from $6.3 million in 2007.
The annual US Cost of Data Breach Study, which examines 43 organizations across 17 industry sectors, is sponsored by PGP Corporation and independently conducted by the Ponemon Institute.
“In this current economic climate, US businesses can’t afford to give their customers any reason to go elsewhere,” said Phillip Dunkelberger, president and CEO of PGP Corporation. “This study continues to show that the results of a data breach can seriously wound a company’s bottom line and reputation. This begs the question, when are organizations going to get proactive about protecting their critical data.”
Other key findings from the study:
- Healthcare and financial services companies experienced the highest churn rate – 6.5% and 5.5% respectively, compared with a total average of 3.6% – reflecting the sensitivity of the data collected and the customer expectation that information will be protected.
- Retail’s customer churn rate was 1.5%, or 14th out of the 17 industries studied, apparently because consumers have lower awareness, expectations, or concerns about data privacy. Churn rate was 3.6% for the “consumer products” industry, or 9th out of 17.
- Third-party organizations accounted for more than 44% of all breach cases in the 2008 study and are also the most costly form of data breaches due to additional investigation and consulting fees.
- More than 84% of 2008 cases involved organizations that had had more than one data breach in 2008; that is, companies are becoming more experienced in managing breaches over time.
- More than 88% of all cases involved insider negligence.
- More than half of respondents believe that training and awareness programs assist in preventing future breaches and 44% have expanded their use of encryption.
- The most significant cost decrease was seen in activities relating to post-breach response, which indicates that organizations are becoming more cost-effective in managing data breaches.
“After four years of conducting this study, one thing remains constant, US businesses continue to pay dearly for having a data breach,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy.”
About the findings: The US Cost of a Data Breach Study was derived from a detailed analysis of 43 data breach cases with a range of 4,200 to 113,000 records that were affected. The study found that there is a positive correlation between the number of records lost and the cost of an incident. Companies analyzed were from 17 different industries, including financial, retail, healthcare, services, education, technology, manufacturing, transportation, consumer, hotels and leisure, entertainment, marketing, pharmaceutical, communications, research, energy and defense. The study tracks a wide range of cost factors, including expensive outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.