Given the massive Sony Playstation Network data breach in April, and the claim by a Marketplace expert that Sony delayed customer notification to lower its post-breach costs, I thought that I would take another look again at the report about breach costs.
Back in March 2011, the Ponemon Institute released findings for breach costs for 2010. There are separate reports for the U.S. and the U.K.. Findings from the U.S. report:
- More organizations respond faster to data breaches. In 2010, 43% notified breach victims within a month, up 7% from 2009.
- Faster response costs more. Organizations that notified breach victims within a month incurred an average cost per-record cost of $268 in 2010, up $49 (22%) from $219 during 2009. Companies that took longer to respond incurred an average cost per record of $174, down $22 (11%) from 2009.
- Malicious or criminal attacks were about a third (31%) of all data breaches.
- Malicious or criminal attacks are more expensive, too, averaging $318 per record during 2010, up $103 (48%) from 2009.
- The average cost per record comprised $74 of direct costs (34%), up 22% from 2009, and $144 of indirect costs (66%). Ponemon found that direct costs have been increasing since 2008 while indirect costs have declined. Direct costs include expenses for organizations to comply with data security regulations (Federal, state, and local), breach detection, and the notification of breach victims and government officials.
- Data breach costs have risen for a fifth consecutive year. The average organizational cost of a data breach was $7.2 million during 2010, up 7% from $6.8 million in 2009.
- The customer churn after a data breach contributed to breach costs, and varied by industry. While the average churn rate across all companies studied was 4%, the highest churn rates were in pharmaceuticals and healthcare (7% each). The industries with the lowest churn rates were the public sector (less than 1%) and retail (1%).
- Similarly, the average cbreach ost per record varied by industry. In 2010, the industries the highest average per-record costs were communications ($380), financial ($353) and pharmaceutical ($345). The industries with the lowest per-record costs were media ($131), education ($112), and the public sector ($81).
The causes of data breaches and their associated costs:
|Breach Type||Frequency 2010||Avg. Cost/Record
|First Timer YES
|Malicious or criminal attack YES
|Third-Party Mistake YES
|Quick Response YES
|Lost or Stolen Device YES
|System Failure YES
|CISO Leadership YES||45%||$193|
|External Consulting Support YES
The analysis of costs:
|Lost Customer Business Due To Churn
|Legals Services: Defense
|Investigations & Forensics
|Audit and Consulting Services
|Customer Acquisition Costs
|Contact Costs: Inbound
|Contact Costs: Outbound
|Legal Services: Compliance
|Identity Protection Services
|Free or Discounted Services
|Public Relations / Communications
Based on the above cost analysis, the free or discounted credit monitoring services organizations often provide breach victims (e.g., consumers, employees) is not a major cost component. It suggests that companies could provide longer periods of free credit monitoring and credit restoration services. For example, the State of Texas is offering its breach victims a single year of complimentary credit monitoring.
Ponemon studied breaches for 51 companies. Download the 2010 Ponemon U.S. Cost Of A Data Breach report (PDF format).