The Ponemon Institute has released its second annual study “Cost of a Data Breach”. The results represent the cost estimates for activities resulting from actual data loss incidents in 2008.

According to the report, the total average costs of a data breach grew to £60 per record compromised (up from £47 in the 2007 report), with the total average costs per reporting company of more than £1.73 million per breach (up from £1.42 million in 2007).
Interestingly, the highest cost of data breach has been identified as the cost of lost business, which accounts for 53 percent of data breach costs. This is not hard to imagine, given that a £1.5 million contract with the Home Office was terminated when details on all (at the time) 84,000 prisoners in England and Wales were lost on a memory stick by a third party contractor.
Lost or stolen laptops represent the highest costs, coupled with more than 70 percent of breaches involving insider negligence.
Many companies have responded to the increased costs asociated with data breaches by expanding their use of encryption technologies, and implementing identity and access management solutions to prevent further data breaches.
Of course, the findings in the report are only based upon reported breaches, with potentially many more breaches going unreported. An incentive not to report is that the costs of managing the data breach are likely to be far less, unless the breach becomes public knowledge. Consumers are also starting to demand higher standards of treatment and storage of their personal data.
The report concludes that with the high cost of data breach fallout, and the source of many breaches (such as laptops and USB flash drives) being essential for productivity, the return on investment and justification for preventative measures is clear.
Datonomy would contend, however, that implementing technological measures and data handling procedures may well reduce the likelihood of a data breach (or at least a serious data breach) occurring, but the human factor involved will inevitably mean that these solutions are only as good as the people implementing and carrying them out. This point was picked up at the DMA Data Protection Conference 2009 by Paula Davis, Global Head of Client Services at SAI Global, in her presentation on Measuring the Effectiveness of Privacy Training.
A copy of the report can be downloaded here.

Leave a Reply

Your email address will not be published. Required fields are marked *