First-Ever Global Cost of a Data Breach Study Shows Organisations Paid USD3.43 million per Breach in 2009

April 28, 2010

LONDON, April 28 /PRNewswire/ — InfoSecurity Europe, Earls Court — Privacy and information management research firm Ponemon Institute, together with PGP Corporation, a global leader in trusted data protection, today announced the results of the first-ever global study into the costs incurred by organisations after experiencing a data breach. The 2009 Annual Study: Global Cost of a Data Breach report, compiled by The Ponemon Institute and sponsored by PGP Corporation, assesses the actual cost of activities resulting from more than one hundred real life breach incidents, affecting organisations from 18 different industry sectors.

The research shows that the average cost of a data breach globally stood at USD3.43 million last year, the equivalent of USD142 per compromised customer record. However, costs varied dramatically between regions, from USD204 per lost record in the U.S., down to USD98 per record in the UK. A total of 133 organisations, located in five countries — Australia, France, Germany, UK and U.S. — participated in the research, which was undertaken during 2009. The average costs of a data breach in all five countries were as follow:

                   Av. Cost per record     Av. Total cost of a breach
    Country               (USD)                      (USD)
    Australia               114                 1.83 million
    France                  119                 2.53 million
    Germany                 177                 3.44 million
    UK                       98                 2.57 million
    U.S.                    204                 6.75 million
    Average                 142                 3.43 million

Breach notification laws and regulations significantly increase costs

The report shows that costs incurred in countries with data breach notification laws were significantly higher than in countries where no such legislation exists. For example, in the U.S., where 46 states have now introduced laws forcing organisations to publicly disclose the details of breach incidents, the cost per lost record was 43 percent higher than the global average. In Germany, where equivalent laws were passed July 2009, costs were second highest; 25 percent above the worldwide average. In Australia, France and the UK, where data breach notification laws have not yet been introduced, costs were all below the average.

“The over-arching conclusion from this study is the staggering impact that regulation has on escalating the cost of a data breach,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “The U.S. figures are testament to this and it’s clear that, as and when breach notification laws are introduced across the rest of the world, other countries will follow the same pattern and costs will rise.”

In the UK, where only public sector and financial organisations currently face regulatory pressure to disclose breaches, costs were lowest: 45% below the global average, and equating to less than half the expense incurred by U.S. firms.

“It’s perhaps no surprise that, in the U.S., where data protection laws are both stringent and mature, the financial fallout of a breach is at its most severe; however, the relatively low levels of expense incurred by British firms may raise a few eyebrows,” commented Jonathan Armstrong, technology lawyer at Duane Morris. “With the UK Information Commissioner’s Office toughening its stance on data protection, imposing hefty fines and scrutinising more and more organisations, it will be interesting to see how steeply UK costs rise in the future.”

Lost business due to reduced customer trust is the greatest contributor to costs

Almost half (44 percent) of the incurred data loss expenses related to the cost of lost business, reflecting the added expense of consumer churn and the increased difficulty of attracting new customers in the wake of negative publicity. Again, costs varied dramatically between countries and were highest in the U.S., where the cost of lost business was on average equivalent to 66 percent of overall expenses.

    Country      % cost caused by lost business
    Australia                                 33%
    France                                    30%
    Germany                                   34%
    UK                                        46%
    U.S.                                      66%
    Average                                   44%

“It doesn’t matter where they’re located, if a company gains a reputation for being careless with confidential data, the brand will suffer,” said Phillip Dunkelberger, president and CEO of PGP Corporation. “Data is currency, it needs to be protected. Data breach notification laws mean consumers are informed; more countries around the world are looking to tighten their data protection legislation as they realize lost data means an increase in customer turnover.”

Detection and escalation costs affected by compliance requirements

The cost of detecting and escalating a breach were particularly high in Germany (USD52 per lost record), reflecting the investment required in new technologies and processes in order to comply with the country’s recent notification legislation. In the U.S., where laws were first enforced in 2005, these costs were small by comparison (USD8) and have decreased over recent years, suggesting that American organisations have developed more efficient detection and escalation processes over time. French, Australian and UK firms should expect their costs to follow the same trend, initially rising in order to ensure compliance with emerging regulations and then declining once processes become more refined.

                    Cost of detection/escalation
    Country                processes (USD)
    Australia                                     38
    France                                        36
    Germany                                       52
    UK                                            18
    U.S.                                           8
    Average                                       31

Third party flubs and criminal attacks both drive up costs

When a third party was responsible for the data loss incident, costs rose in all countries, reflecting the additional forensics and investigations required to detect and remediate the breach. However, the financial impact of third party mistakes varied greatly across the world, causing costs to rise by just 12 percent in the U.S., up to a staggering 116 percent in France.

                  % of breaches caused by
    Country             third party             % increase in cost
    Australia                            31                       39
    France                               41                      116
    Germany                              27                       31
    UK                                   36                       31
    U.S.                                 42                       12

Organisations suffering a data loss incident as a result of malicious or criminal activities also incurred higher costs, with French companies once again experiencing the greatest negative impact. With malicious attacks on the rise across all countries, and accounting for between 24 and 54 percent of incidents, organisations should take a more proactive approach to protecting their data from theft in order to reduce costs.

                    % of breaches caused by
    Country             criminal attack             % increase in cost
    Australia                               44                         61
    France                                  35                        121
    Germany                                 54                         23
    UK                                      24                         25
    U.S.                                    24                          7

Strong CISO leadership helps costs fall

Where the organisation’s chief information security officer or equivalent took personal responsibility for managing the breach, costs fell in all five countries. However, CISO-managed events only occur in a minority of cases, with the majority of organisations either not employing a CISO, or not making them directly responsible for data breach incidents.

                  % of breaches managed by
    Country                 CISO                 % reduction in cost
    Australia                            44                            3
    France                               41                           12
    Germany                              36                           45
    UK                                   39                           12
    U.S.                                 40                           33

“The positive news from this research is that, no matter where a company is based, or the laws they must abide by, senior level involvement from a CISO is proven to drive down overall data breach costs,” continued Dunkelberger. “Going forward, organisations would be well advised to create such a role if they want to minimise the fallout from a data breach.”

A copy of the study, is available from PGP Corporation at: www.encryptionreports.com

About The Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About PGP Corporation

PGP Corporation is a global leader in email and data encryption software. Based on a unified key management and policy infrastructure, the PGP® Encryption Platform offers the broadest set of integrated applications for enterprise data security. PGP® platform-enabled applications allow organizations to meet current needs and expand as security requirements evolve for email, laptops, desktops, instant messaging, smartphones, network storage, file transfers, automated processes, and backups.

PGP® solutions are used by more than 110,000 enterprises, businesses, and governments worldwide, including 87 percent of the Fortune® 100, 73 percent of the Fortune® Global 100, 80 percent of the German DAX index, and 60 percent of the U.K. FTSE 100 Index. As a result, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies’ brands and reputations. Contact PGP Corporation at www.pgp.com.

    Media & Analyst Contacts for PGP Corporation:

    United Kingdom:
    Jacqui Depares/Claire Ayles
    Johnson King
    +44 (0) 20 7401 7968

    North America:
    Tom Rice
    Merritt Group
    +1 703 856 2218

    Ingrid Daschner
    Johnson King
    +49 (0) 89 8940 8511

    Carol Pender/Alexandra Radius
    Johnson King
    +33 (0)1 53 16 11 11
    carolp@johnsonking.fr / alexandrar@johnsonking.fr

    Media Contacts Ponemon Institute:
    Mike Spinney

Legal Notice Regarding Forward-Looking Statements

Some of the statements in this press release are forward-looking, including statements regarding the availability, plans, delivery, goals, development, expected features, expected benefits and competitive position of PGP products implementing or leveraging the PGP technologies. All references made to product feature enhancements, improvements in Platform support or additional functionality are subject to change at PGP Corporation’s sole discretion. All future descriptions of PGP technology and products are subject to availability only if PGP Corporation decides to build them and when PGP Corporation decides to make them commercially available. Actual results could differ materially from those expressed in any forward-looking statements. Risks and uncertainties that PGP Corporation faces that could cause results to differ materially include risks associated with any unforeseen technical difficulties or software errors related to the final development and launch of any of PGP Corporation’s products; any technological, regulatory, or standards changes in the security, encryption and authentications market which could make PGP Corporation’s products less competitive or require feature changes in these products; any slowdown in the adoption by businesses of encryption suites, secure email, Internet technologies or related standard. The forward-looking statements contained in this release are made as of the date hereof, and PGP Corporation does not assume any obligation to update such statements nor the reasons why actual results could differ materially from those projected in such statements.

PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.

SOURCE PGP Corporation

Source: newswire

comments powered by Disqus