Other costs include reputation fixes and customer support in the form of information hotlines and credit monitoring subscription for victims, according to a new survey.
Losing customer data cost companies more this year than last.
According to a study conducted by the Ponemon Institute, an independent information practices research group, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006.
The average total cost for a data breach in 2007 was $6.3 million, up from $4.8 million in 2006.
The study suggests that lost data translates to lost business opportunity. This mainly comes in the form of customer churn and customer acquisition costs, which rose from $98 per record in 2006 to $128 in 2007 -- a 30% increase.
Other costs include reputation management and customer support costs such as information hotlines and credit monitoring subscription for victims.
"In the past, there hasn't been the evidence to say that people are losing customers due to a breach," said John Dasher, director of product management for encryption technology company PGP Corporation. "I think that's changing."
Dasher attributes this to greater awareness of security issues and less tolerance of security issues on the part of the public.
The study found outsourcing to be a significant and growing source of risk. Breaches attributable to third-party organizations -- outsourcers, contractors, consultants, and partners -- were reported by 40 percent of respondents, an increase of 29% from 2006.
And in such cases, the breaches were more expensive, costing companies an average of $231 per customer record lost, compared to $171 when no third-party was responsible.
"If you outsource [and there's a data breach], your costs are more than if you didn't," said Dasher, who sees this as a consequence of IT trying to do more with less. "The outsourcers themselves appear to not be immune to poor security practices."
Legal costs associated with data breaches and public relations costs rose 8% and 3% respectively of total breach costs, according to the study.
The study indicates that laptops, thumb drives and mobile devices account for 49% of all breaches in the 2007 sample. About 18% of data breach incidents were attributable to a malicious attack (a virus or spyware, for example) or a malicious insider.
The study's findings aren't all bad news: The cost of data breach notification dropped by 15%. Dasher attributes this to organizations being more focused in their response.
PGP Corporation and data loss protection company Vontu (recently acquired by Symantec) sponsored the study. Both companies make products designed to mitigate data breach risks.
The study is based on analysis of 35 data breach incidents in the U.S. which range in scope from losses of fewer than 4,000 records to more than 125,000 records.
More than 216 million customer records have been exposed or lost in data breaches since 2005, according to Privacy Rights Clearinghouse, a privacy advocacy organization.
In late October, the U.K. government acknowledged losing data on more than 25 million of its citizens.
The Ponemon Institute plans to release a study of U.K. data breaches in January.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.