Data breaches cost organizations $204 per record in 2009
Data breaches on an average cost organizations $204 per exposed record last year, which represents almost two percent increase over 2008, according to the fifth annual "Cost of Data Breach" study released on Monday by the Ponemon Institute.
“I am surprised that the number keeps on going up,” says Larry Ponemon, chairman and founder of the Ponemon Institute to SCMagazineUS.com on Friday. “Although the amount is small, it suggests to us that people still deeply care about data breaches.”
The study which examined the experiences of 45 U.S. companies that suffered breaches last year, found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent in 2009. In addition, the data breaches caused by human negligence or by IT system glitches cost 30 to 40 percent less on an average compared to those caused by malicious attacks to the organizations.
“For the first time, companies participating in the study reported that data-stealing malware caused their breaches,” the study reported.
More commonly, however, the report stated, last year, 42 percent of all data breaches resulted from third-party mistakes. And, 36 percent of breaches involved lost or stolen laptops or other mobile devices.
The most expensive data breach included in this year's study cost one organization nearly $31 million to resolve, and the least expensive breach cost $750,000. Studies found, lost business makes up the largest portion of breach costs, totaling $135 per record lost on an average which is a slight decrease from $139 as in 2008. Ex-post response activities, which include providing credit monitoring services and other assistance to breach victims, cost $46 per record last year, up from $39 in 2008.
“One of the main reasons for an increase in ex-post response costs is due to the increase in legal defense costs,” the study said. “This can be ascribed to increasing fears of successful class actions resulting from customer, consumer or employee data loss.”
Activities that enable organizations to detect the breach which totaled $8 per record on an average last year and the costs to notify breach victims, which totaled $15 per record, add to data breach costs.
Notifying breach victims too early, however, may raise total breach costs. Those who waited longer to notify breach victims paid $196 per record exposed while those who notified within one month paid $219, on average.
“Companies striving to make a deadline, sometimes cut corners on forensics,” Ponemon said, adding to that, doing so can result in over-reporting the extent of the breach, which can be very costly.
Companies which have experienced a breach need to provide timely communication, but also must take enough time to fully investigate the breach to determine who is harmed, how it happened and how to remediate the problem, the Ponemon report said.
Another finding was that having a CISO, or equivalent position, could decrease data breach costs by almost 50 percent. Companies with a CISO paid $157 per compromised record, on average, compared to those which did not have a CISO and paid $236 per compromised record.
Tim Matthews, senior director of product marketing at encryption firm PGP, which sponsored the study, told SCMagazineUS.com on Friday that, Companies with a CISO fare better after breaches because they have security strategies in place to protect the company's assets and to respond to such incidents.
“A CISO can be a focal point and leader,” Matthews said. “Response costs and coordination could be cheaper with someone in that role.”
Besides having a CISO, organizations should consider using encryption technology to help protect data, the study said. | 
