Data Breach Costs On The Rise, Study Finds

Among the key findings was that the costs of data breaches continued to increase, averaging more than $202 per record, for a total cost of more than $6.6 million per breach. The new findings represent an increase of about 2.5 percent, up from $197 per record in 2007.

Researchers say that one of the reasons for the increased expense was due to the fact that hackers have strengthened their efforts and attack methods to mine valuable financial, corporate and personally identifying information, which they then harvest and sell via the Web.

"People keep ignoring the fact that data is currency," said Phil Dunkelberger, CEO of PGP Corp., the security company that jointly released the study with the Ponemon Institute. "Data is traded like dollars on the Internet now if you're not going to take precautions."

The Ponemon study was based on a group of 43 companies, with breaches that ranged from 4,200 to more than 113,000 records.

In addition, the expenses directly associated with customer attrition and lost business comprised the largest portion of the data breach costs, the Ponemon study found. Altogether, the cost of lost businesses accounted for 69 percent of data breach costs, totaling an average of $4.59 million, or $139 per record.

Also, one of the most significant findings was that third-party breaches are on the rise and more costly than ever. While major breaches such as the 2007 TJX and the recent Heartland Payment Systems breach make the headlines, researchers say that the majority of breaches will be due to access issues surrounding uncontrolled third parties.

According to the Ponemon study, 44 percent of the study's respondents reported breaches by third parties, such as outsourcers, contractors, consultants and business partners -- up from 40 percent in 2007. The per-victim cost for third-party breaches is about $52 higher than an insider employee breach.

In light of the declining economy, more businesses have relied on outsourcing and offshoring IT functions to third parties, creating more risks around their sensitive data.

"More and more people are trying to outsource things. But outsourcing is the most expensive way to lose the data," Dunkelberger said, adding that instead of external hackers, "most of these people are just employees, contractors, consultants losing information."

Meanwhile, the study also found that companies experiencing a breach for the first time will face more severe financial consequences than those that have experienced repeated breaches, primarily due to the fact that companies that have experienced a breach are more familiar with the process and costs associated with the data loss. Per victim, the cost of "first-time" data breaches averaged $243 per record vs. $192 for experienced companies.

"Some of the people that had more than one breach, the cost of remediation comes down," Dunkelberger said. "Once you've had one, you know how to handle it."

Looking forward, however, the study found that companies have routinely implemented enhanced security training due to increased awareness. The study found that 49 percent of companies surveyed are creating additional manual procedures and controls, and 44 percent have expanded implementation of encryption technologies.

Meanwhile, breaches like the one at Heartland Payment Systems also will help foster a new breed of lawsuits, with firms dedicated to punitive damages for victims of data breaches, Dunkelberger said.

"Now there are zero-day lawsuits. Heartland already has a class-action suit, when nobody knows what happened and there still isn't information of the specific details," he said. "At least the law firms of the world are going to look very closely at this."