Data Breaches Cost Australian Companies AUS$1.97 Million
SYDNEY and TRAVERSE CITY, Mich., April 7 /PRNewswire/ — Australian organisations experience costly data breaches with the average organisational cost of a data breach, including activities intended to prevent a loss of customer or consumer trust, at AUS$1.97 million and the average cost per compromised record at AUS$123. The most expensive data breach cost one organisation surveyed more than AUS$4 million to resolve, according to the 2009 Annual Study: “Australian Cost of a Data Breach” report – the first of its kind to quantify the costs associated with both public and private sector data breaches in Australia.
Compiled by privacy and information management research organisation the Ponemon Institute, together with PGP Corporation, the research analysed the actual data breach experiences of 16 Australian companies from nine different industry sectors taking into account a wide range of business costs including expensive outlays for detection, escalation, notification and after-the-fact responses. It also analysed the economic impact of lost or diminished customer trust and confidence as measured by customer turnover (churn) rates.
The two most significant components of the cost for Australian organisations are lost business, and detection and escalation of incidents. The least significant is notification, largely due to Australian organisations not required to notify victims when a data breach occurs – unlike their US and UK counterparts which have data breach notification laws.
“This first annual study shows that the financial impact of data breaches is significant for Australian organisations,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “The research points to malicious attacks as the primary drivers of data breaches and customer turnover being the most costly component following a breach. The cost of notifying customers that their information has been compromised remains lower in Australia than we have seen in other countries where breach laws mandate notification.”
Malicious attacks and botnets
Malicious attacks and botnets are the primary drivers of data breaches in Australia, and cost substantially more than those caused by human negligence or IT system glitches with 44% of all cases in this year’s study involving a malicious or criminal attack that resulted in the loss or theft of personal information. The cost per record compromised averaged AUS$156, while breaches from negligence and systems glitches had an average per record cost of AUS$94 and AUS$99 (40% and 37% less) respectively.
Outsourced data to third parties are common and costly
Data breaches involving outsourced data to third parties, especially when the third party is offshore, are common and costly. Thirty-one percent of all cases in this year’s study involved third-party mistakes or flubs. The cost per compromised record for data breaches involving third parties was AUS$152 versus AUS$109 if the breach did not involve a third party, AUS$43 (39%) more. (This could be due to additional investigation and consulting fees, or additional forensics investigation and consulting fees.)
Finance, media and communications have highest customer turnover
Industries with the highest customer turnover (churn rate) were financial, media and communications (7%), which also had the highest average costs per compromised record (AUS$177, AUS$182 and AUS$141 respectively). The industries with the lowest abnormal churn rates were retail and transportation (2%), followed the public sector (1%) which had the lowest average costs per compromised record (AUS$73, AUS$72 and AUS$107 respectively).
Other key findings of this year’s report show that 31% of all cases involved a systems glitch or lost or stolen laptop computers or other mobile data-bearing devices, 25% of all data breach cases involved employee negligence, and 56% of organisations surveyed with a better security posture had lower data breach costs than their less-prepared peers.
“This study shows that organisations that proactively protect their data suffer less when hit by a data breach,” said Phillip Dunkelberger, president and CEO of PGP Corporation. “While Australia does not have data breach notification laws and only few data breaches are ever made public, it’s clear that those organisations that employ a strategic approach that combines strong security leadership, well defined operational procedures and integrated technology solutions will reduce their exposure to costly loss incidents.”
Copies of the full study are available at: www.encryptionreports.com.
About the Ponemon Institute
The Ponemon Institute is dedicated to advancing responsible information and privacy management practices I businesses and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organisations in a variety of industries.
About PGP Corporation
PGP Corporation is a global leader in email and data encryption software for enterprise protection. Based on a unified key management and policy infrastructure, the PGPÃ‚® Encryption Platform offers the broadest set of integrated applications for enterprise data security. PGPÃ‚® platform-enabled applications allow organisations to meet current needs and expand as security requirements evolve for email, laptops, desktops, instant messaging, smartphones, network storage, file transfers, automated processes and backups.
PGPÃ‚® solutions are used by more than 110,000 enterprises, businesses, and governments worldwide, including 87 percent of the FortuneÃ‚® 100, 73 percent of the FortuneÃ‚® Global 100, 80 percent of the German DAX index, and 60 percent of the U.K. FTSE 100 Index. As a result, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies’ brands and reputations. Contact PGP Corporation at www.pgp.com.
Analyst and Media Contact for PGP Corporation Australia Karin Krueger KDK Media +61 (2) 9979 3718 firstname.lastname@example.org North America: Tom Rice Merritt Group +1 703 856 2218 email@example.com Media Contacts Ponemon Institute: Mike Spinney 978-597-0342 firstname.lastname@example.org
Legal Notice Regarding Forward-Looking Statements
Some of the statements in this press release are forward-looking, including statements regarding the availability, plans, delivery, goals, development, expected features, expected benefits and competitive position of PGP products implementing or leveraging the PGP technologies. All references made to product feature enhancements, improvements in Platform support or additional functionality are subject to change at PGP Corporation’s sole discretion. All future descriptions of PGP technology and products are subject to availability only if PGP Corporation decides to build them and when PGP Corporation decides to make them commercially available. Actual results could differ materially from those expressed in any forward-looking statements. Risks and uncertainties that PGP Corporation faces that could cause results to differ materially include risks associated with any unforeseen technical difficulties or software errors related to the final development and launch of any of PGP Corporation’s products; any technological, regulatory, or standards changes in the security, encryption and authentications market which could make PGP Corporation’s products less competitive or require feature changes in these products; any slowdown in the adoption by businesses of encryption suites, secure email, Internet technologies or related standard. The forward-looking statements contained in this release are made as of the date hereof, and PGP Corporation does not assume any obligation to update such statements nor the reasons why actual results could differ materially from those projected in such statements.
PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.
SOURCE PGP Corporation