This has been a very newsworthy week for data breach research. Dr. Larry Ponemon, the Ponemon Institute’s privacy advocate and researcher, released their yearly U.S. Cost of Data Breach Study which wrapped up the latest statistics for 2011. After six years of less-than-encouraging news, there were a few surprises in this report.
First, the average organizational cost of a data breach declined from $7.2 million to $5.5 million and the cost per record declined from $214 in 2010 to $194 in2011, a 9% decline. With new headlines declaring a breach daily, how could this be? Well it appears that organizations are becoming better at managing the costs incurred as they respond and resolve a data breach incident. Secondly, fewer customers are abandoning companies after a data breach has occurred. It appears that organizations are taking more appropriate steps to keep their customer base loyal and repair damages to their reputation post-breach. OR, have customer’s mindsets shifted to believe that data breaches are just a part of doing business – their data isn’t secure with any vendor?
Companies report that their data breaches were smaller in scale and resulted in a lower rate of customer churn.
Second, the report indicates “negligent employees and malicious attacks are most often the cause of the data breach.” Employee or contractor negligence makes up 39% for the root cause of breaches while 37% of breaches concern malicious or criminal attack. In addition, malicious attacks present the most costly types of breaches with a cost of $222 per record breached.
Third, organizations that employ a CISO (Chief Information Security Officer) with responsibility for data protection see an average cost of a data breach reduced by as much as $80 per compromised record. This research point makes a lot of sense. Organizations that have an active CISO that is conducting data protection training for employees and is advocating the appropriate processes, people and technologies to protect the organization will be much better prepared to handle a breach event.
And finally, the report shows that breach detection and escalation costs have declined in 2011, but the cost to notify victims of the breach increased. It is believed that the increase in regulatory requirements governing data breach notifications has impacted the notification costs. Additionally, the report indicates quick notifications and rapid responses can cost organizations $33 more per compromised record. And, failing to accurately determine the number of affected individuals can result in notifying more people than necessary, leading to higher customer churn.
The report isn’t all doom and gloom this year. Dr. Ponemon concluded that for the first time, “companies participating in our annual study report that their data breaches were smaller in scale and resulted in a lower rate of churn.” We see a little light at the end of the tunnel proving that the preventative actions that organizations are putting in place do work.