2008 Annual Study: Cost of a Data Breach

2009-02-20

The Ponemon Institute, together with PGP, has released their 4th annual study on the cost of data breaches. The report is based on the actual experiences of 43 US companies from 17 different industry sectors, and covers a wide range of business costs, including expense outlays for detection, escalation, notification and after the fact response. The report also analyzes the economic impact of lost or diminished customer trust and confidence, measured by customer churn or turnover rates.

Some key findings include :

- Average total per-incident costs in 2008 were $ 6.65 million, compared to an average per-incident cost of $ 6.3 million in 2007.

- Healthcare and financial services companies experienced the highest churn rate - 6.5 percent and 5.5 percent respectively, on a total average of 3.6 percent, which reflect the sensitivity of the data collected and the customer expectation that information will be protected.

Phillip Dunkelberger, president and CEO of PGP Corporation, states "After four years of conducting this study, one thing remains constant; U.S. businesses continue to pay dearly for having a data breach. As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy."

The study was also conducted in the United Kingdom and Germany, with the following key findings:

United Kingdom: Study included 30 organizations

- The total average costs of a data breach grew to 60 per record compromised, an increase of 28 percent since 2007. Breaches are costly events for an organization, the average total cost per reporting company was more than £1.73 million per breach and ranged from £160,000 to over £4.8 million.

- The cost of lost business continued to be the most costly effect of a breach averaging £ 920,000 or £ 32 per record compromised. Lost business now accounts for 53 percent of data breach costs, compared to 36 percent in the 2007 study.

Germany: Study included 18 organizations

- The total average costs of a data breach reached €112 per record compromised. The total cost per reporting company was more than €2.41 million per breach and ranged from €267,000 to over €6.75 million.

- The cost of lost business, detection and escalation and ex-post response all shared an average cost of €36 per record, or between €770,000 and €780,000 per incident. The remaining factor, notification costs, is significantly lower, representing €4 per record compromised or €80,000 per incident. This lower cost is reflected in the lack of a consistent Data Breach notification law in Germany.

You can download all of the reports here.