Report: Data Breach Costs On The Rise

The annual "Cost of a Data Breach Survey," released Monday, said such incidents cost U.S. companies an average of $204 per compromised customer record in 2009, compared to $202 in 2008.

The average total organizational per-incident costs rose slightly in 2009 to $6.75 million, compared to an average per-incident cost of $6.65 million in 2008, despite an overall drop in the number of reported breaches. The total number of data breaches dipped in 2009 to 498, down from 657 in 2008, the study said, citing a report from the Identity Theft Resource Center.

Larry Ponemon, chairman and founder of the Ponemon Institute, said that customer churn rate comprised the "lion's share" of the costs for organizations following a data breach. Much of those costs were due to increased recruitment and marketing expenses incurred by companies due to an upsurge of customer attrition following a breach. "People do leave. It reduces the brand of an organization, and increases acquisition costs of new customers," he said.

Larry Ponemon, chairman and founder of the Ponemon Institute, said that customer churn rate comprised the "lion's share" of the costs for organizations following a data breach."People do leave. It reduces the brand of an organization, and increases acquisition costs of new customers," he said.

In addition, Ponemon said that industries such as pharmaceuticals and health care, followed by banking and financials, had higher customer churn rates than other industries, such as retail.

"You have this expectation that they're going to be better at managing your privacy. That's the perception, but that may not be accurate," he said.

Another reason for skyrocketing expenses is due to legal costs, Ponemon said. In 2009, legal defense costs related to data breaches spiked more than 50 percent upwards, largely as a result of successful class action suits -- or fear of successful lawsuits -- initiated by customers, consumers or employees who have experienced data loss.

Third-party organizations were responsible for 42 percent of all breach cases, which dropped slightly from 44 percent of all cases in 2008. However, data breaches sourced from a third party were ultimately more costly to organizations due to additional investigation and consulting fees.

Meanwhile, insider breaches due to negligence or lack of awareness have actually decreased in number and cost, according to the survey, which could likely be attributed to enhanced workplace training and awareness programs on how to protect personal and corporate information.

Despite this, the line between insider threats and external threats continues to be blurred, in part due to the proliferation of information-stealing malware that is increasingly responsible for data breaches and compromised information, executives said.

"We're seeing that data centers are becoming targets of organized crime," said Tim Matthews, senior director of marketing for encryption company PGP. "It's important for a company to think about its security postures out of data center. Developing a proactive strategy to protect data in the first place is a wise move."

Additionally, 58 percent of companies have also expanded their use of encryption, up from 44 percent last year, a development which also has cut down on breaches occurring when data is lost in transmission, such as via e-mail attachments, on disk or USB drives. And Ponemon said that the use of granular, high-end technologies, such as DLP and access management have served to reduce both internal and external threats as they become more widely deployed in the workplace.

"Laws that strongly encourage encryption, or require it, do make a difference," Ponemon said. "If (criminals) do break in, it's very unlikely they will be able to use what they steal."

The most expensive data breach event included in the 2009 study cost a company nearly $31 million to resolve, while the least expensive data breach cumulative cost for a company was $750,000, according to the study.