Cost of Data Breaches Declines
For the first time in seven years, the average cost of a data breach in the U.S. has declined. It fell to an average of $5.5 million per data breach in 2011 despite numerous high-profile data breach incidents.
Tue, March 20, 2012
CIO — For the first time in seven yearsand despite numerous high-profile incidentsthe average cost of a data breach fell in 2011, according to new findings released by Symantec and the Ponemon Institute.
"Nearly shocking to me, the cost of data breach declined," says Dr. Larry Ponemon, chairman and founder of research think tank Ponemon Institute. "It's still not chump change."
The study found the average organizational cost per data breach was $5.5 million in 2011, down 24 percent from $7.2 million in 2010. Additionally, the cost per compromised record fell to $194 per record, down $20 (10 percent) from 2010. That's the lowest cost per compromised record since 2007.
Ponemon Institute has conducted this benchmark study for seven years using the activity-based costing model developed by Harvard University Professor Robert S. Kaplan. Dr. Ponemon explains the model starts with the detection or study of a data breach incident and takes into account forensic and investigative activities, incident response, notification, legal, consulting, outbound communication and call center activities, activities to maintain customer confidence and trust, direct churn, secondary churn and increased customer acquisition costs. The study investigated 49 actual data breach incidents across 14 industry sectors in the U.S.
A decline in lost business costsabnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwilldrove the overall decline in data breach costs. Lost business costs fell to $3.01 million in 2011, down 34 percent from $4.54 million in 2010.
Data Breach Notifications Too Rapid?
While the decline in costs should benefit businesses, the reason for the decline may not be so reassuring.
"I think the root cause is that people are maybe becoming a little numb to the notification," Dr. Ponemon says when asked to speculate on the driver for the decline in lost business costs. "Maybe most of us by now have received one if not more notifications. Over time, if you don't become a data breach victim as a result of the event, it begins to lose its impact. These notifications are becoming almost ubiquitous. It's hard to determine which ones I should care about."
And, in fact, notification costs were up 10 percent in 2011, from $511,454 in 2010 to $561,495 in 2011. Dr. Ponemon noted that new laws and regulations governing data breach notification played a role in that increase.
The Ponemon Institute also found that organizations that respond to a breach too quickly and send notifications to customers immediately rather than first taking a thorough assessment of the data breach paid on average $33 more per compromised record. Additionally, organizations responding to their first data breach event paid an average of $37 more per compromised record. Data breaches caused by third parties or due to lost or stolen devices also increased the average cost of compromised records by $26 and $22, respectively.