The Ponemon Institute has published its latest 2009 instalment of its UK Annual Study: Cost of a Data Breach (a US version is also available). So what has changed since last year?
Well, there has been a general decline in media interest in and exposure of data breaches of late, so does this have an impact on the cost of losing data? The answer is a resounding “no”. Although average institutional costs of a data breach decreased nearly 3% over 2009, the average cost per compromised record rose 7% to £64. However, generally costs of detection, escalation and notification have decreased.
More notably there has been recorded, for the first time, a decrease in lost business as a result of a data breach. This an be partly explained by the increase in government organisations taking part in the study, as the cost of lost business for the public sector is much lower than the private sector – which could be attributed to lack of competition. One might also be tempted to proffer a view that the public became somewhat desensitised to data loss during the last couple of years. However, countering this is the fact that the cost of lost business still remains the largest cost component, with an average of 4% churn, so consumers are still concerned about the impact of a data breach on them.
Breaking down the cost of a data breach by sector – transportation, financial and communications have the highest cost of a data breach, whereas government and retailers have a lower cost of breach overall. Contrast this with last year’s position where education, communications and consumer had the highest cost.
A general warning to businesses engaged in or thinking of outsourcing – 36% of all cases in the study involved third-party mistakes, which are more costly, especially when the third party is offshore. The cost per compromised record for data breaches involving third parties was £81 compared with £55 for those that did not.
Another interesting statistic is that data breaches experienced for the first time by a company are more expensive than for those who have previously experienced data breaches. The first time cost is £68 versus £61 for ‘repeat offenders’. This is a good reminder that having the right policies and staff in place to deal with personal data, and a data breach is generally a sound investment of time and money. This is borne out by the recorded average cost per compromised record of £59 for organisations which had a Chief Information Security Officer or equivalent to manage the fallout from the breach, as opposed to £67 per record for those that did not.
You can read more interesting finding from the study (and the US equivalent) by downloading the report here.