U.S. Data Breach Costs Still Increasing, Ponemon Survey Reports

The cost of U.S. data breaches continues to rise, according to a Ponemon Institute survey, reaching an average cost of $7.2 million in 2010, up 7 percent from $6.8 million the previous year. The cost has increased every year since the first was released in 2006. That broke down to $214 per record, up from $204 the previous year, according to the sixth annual "U.S. Cost of a Data Breach" report, sponsored by Symantec.

Rising cost is not all bad news, however. Detection and escalation costs rose dramatically, indicating U.S. organizations are being more proactive in dealing with data security, according to Larry Ponemon, chairman and founder of the Ponemon Institute. Organizations in the United States have invested far less than their European counterparts, he says, and the survey may indicate a trend toward catching up. Spending on detection and escalation was up 72 percent per breach in the United States, from an average $264,000 to $455,000 in 2010. In addition, organizations are spending more resources on contacting and helping victims, $1.7 million, up from $1.5 million per breach.

The study was conducted through detailed surveys, including interviews, of 51 organizations in 15 verticals. The surveys were conducted over six months using multiple resources within each organization (as opposed to surveying a single individual). The breach sizes ranged from 4,200 to 105,000 lost or stolen records. To avoid skewing the overall results, Ponemon did not survey companies with huge breaches of millions of records.

The survey results fly in the face of the common assumption that rapid notification of individual breach victims is a good thing. In fact, organizations that responded quickly (43 percent of the respondents notified victims with 30 days) spent a lot more money, much of it unnecessary, than those that took their time. Though regulations generally favor notification within 30 days, the survey indicates that quick action may be bad business.

"A lot of organizations that notify data breach victims too quickly incur a larger cost, and the reason is, quite frankly, there's an over-reporting phenomenon," says Ponemon. People who are notified when their records were not actually breached become angry and are more likely to stop doing business with the company, ultimately increasing the cost of the breach.The numbers are startling. Organizations responding quickly spent $268 per record; those that took their time spent an average of $174. Some companies completed their notifications within two weeks, Ponemon says, with a result of considerable over-reporting--70 percent, in one case.

The survey also showed that organizations with a security leader with enterprise responsibility tend to do a better job managing data breaches and lowering costs. Breaches at companies displaying CISO leadership spent $193 per record, versus $232 by those that did not.

Malicious or criminal attacks (automated agents, malicious insiders, social engineers, external hackers), which accounted for about a third of the breaches, were by far the costliest breach causes, an average $318 per record, up $103 (48 percent) over 2009 and $151 more than the cost of non-malicious breaches.

"We found that malicious breaches are more expensive because organizations have to expend more resources on detection and escalation," says Ponemon. "More effort is required up front to get to the bottom of the problem."

See more on this topic by subscribing to Network Computing Pro Reports 5 Steps to Secure SaaS (subscription required).