Data Breaches Are More Costly Than Ever

By Brian Krebs Staff Writer
Tuesday, February 3, 2009

Organizations that experienced a data breach in 2008 paid an average of $6.6 million last year to rebuild their brand image and retain customers, according to a new study.

Ponemon Institute, a Tucson-based research firm, looked at 43 organizations that reported a data breach last year and found that roughly $202 was spent on each consumer record compromised. The average number of consumer records exposed in each breach was about 33,000, although the number of records affected in each incident ranged from fewer than 4,200 to more than 113,000.

Eighty-four percent of the companies surveyed had at least one data breach or loss prior to 2008, said Larry Ponemon, the institute's founder. The cost of a breach in 2007 was $6.3 million, and roughly $4.7 million in 2006.

The fourth annual study measured the direct costs of a data breach, such as hiring forensic experts; notifying consumers; setting up telephone hotlines to field queries from concerned or affected customers; offering free credit monitoring subscriptions; and discounts for future products and services.

The survey also sought to measure more intangible costs of a breach, such as the loss of business from increased customer turnover and decreases in consumer trust. Following a data breach disclosure, customers who leave one brand for another, known as customer churn, was highest among health care and financial services companies, according to the survey, which found rates of 6.5 percent and 5.5 percent, respectively.

"Some of the best news out of this survey is that churn is really happening," Ponemon said. "People really do care when organizations screw up and lose their data."

The Ponemon cost estimates did not include the effect of a breach on the company's stock price, which in some cases can be substantial.

Last month when Heartland Payment Systems, the nation's sixth-largest credit and debit card processor, disclosed a breach that could affect millions of customers, the company's stock lost 42 percent of its value to close at a 52-week low of $8.18.

The study also did not measure the cost of intellectual property that is lost or stolen after a data breach. At least 44 states and D.C. have enacted laws that require companies that experience a breach of personal information to notify those affected.

Gerhard Watzinger, executive vice president of corporate strategy at computer security firm McAfee, said the incidence of high-profile data breach disclosures over the past year is pushing more companies to invest in data leak prevention technologies. McAfee estimates that data theft and breaches may have cost businesses worldwide as much as $1 trillion last year.

"We're seeing a shift in attitude about these preventative technologies from one of a cost center to being a potential revenue generator," Watzinger said. "With all of these well-publicized data breaches, companies are finding out how expensive it is to repair things after the fact, because the pain organizations suffer from a data breach now is pretty high."

© 2009 The Washington Post Company