Sony Apologizes For Its Playstation Data Breach
Mobile Phone Number And Data Are More Widely Available Than You Might Think

Ponemon Report: Costs of a Data Breach

Given the massive Sony Playstation Network data breach in April, and the claim by a Marketplace expert that Sony delayed customer notification to lower its post-breach costs, I thought that I would take another look again at the report about breach costs.

Back in March 2011, the Ponemon Institute released findings for breach costs for 2010. There are separate reports for the U.S. and the U.K.. Findings from the U.S. report:

  • More organizations respond faster to data breaches. In 2010, 43% notified breach victims within a month, up 7% from 2009.
  • Faster response costs more. Organizations that notified breach victims within a month incurred an average cost per-record cost of $268 in 2010, up $49 (22%) from $219 during 2009. Companies that took longer to respond incurred an average cost per record of $174, down $22 (11%) from 2009.
  • Malicious or criminal attacks were about a third (31%) of all data breaches.
  • Malicious or criminal attacks are more expensive, too, averaging $318 per record during 2010, up $103 (48%) from 2009.
  • The average cost per record comprised $74 of direct costs (34%), up 22% from 2009, and $144 of indirect costs (66%). Ponemon found that direct costs have been increasing since 2008 while indirect costs have declined. Direct costs include expenses for organizations to comply with data security regulations (Federal, state, and local), breach detection, and the notification of breach victims and government officials.
  • Data breach costs have risen for a fifth consecutive year. The average organizational cost of a data breach was $7.2 million during 2010, up 7% from $6.8 million in 2009.
  • The customer churn after a data breach contributed to breach costs, and varied by industry. While the average churn rate across all companies studied was 4%, the highest churn rates were in pharmaceuticals and healthcare (7% each). The industries with the lowest churn rates were the  public sector (less than 1%) and retail (1%).
  • Similarly, the average cbreach ost per record varied by industry. In 2010, the industries the highest average per-record costs were communications ($380), financial ($353) and pharmaceutical ($345). The industries with the lowest per-record costs were media ($131), education ($112), and the public sector ($81).

The causes of data breaches and their associated costs:

Breach Type Frequency 2010 Avg. Cost/Record
First Timer YES
20% $326
Malicious or criminal attack YES
31% $318
Third-Party Mistake YES
39% $302
Quick Response YES
43% $268
Lost or Stolen Device YES
35% $258
System Failure YES
27% $210
Negligence YES
41% $198
CISO Leadership YES 45% $193
External Consulting Support YES
37% $191

The analysis of costs:

Cost Type 2010 2009
Lost Customer Business Due To Churn
39% 40%
Legals Services: Defense
14% 14%
Investigations & Forensics
11% 8%
Audit and Consulting Services
10% 12%
Customer Acquisition Costs
9% 9%
Contact Costs: Inbound
6% 5%
Contact Costs: Outbound
5% 6%
Legal Services: Compliance
2% 2%
Identity Protection Services
2% 2%
Free or Discounted Services
1% 1%
Public Relations / Communications
1% 1%
10% 102%

Based on the above cost analysis, the free or discounted credit monitoring services organizations often provide breach victims (e.g., consumers, employees) is not a major cost component. It suggests that companies could provide longer periods of free credit monitoring and credit restoration services. For example, the State of Texas is offering its breach victims a single year of complimentary credit monitoring.

Ponemon studied breaches for 51 companies. Download the 2010 Ponemon U.S. Cost Of A Data Breach report (PDF format).


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.