Other costs include reputation fixes and customer support in the form of information hotlines and credit monitoring subscription for victims, according to a new survey.

Thomas Claburn, Editor at Large, Enterprise Mobility

November 27, 2007

3 Min Read

Losing customer data cost companies more this year than last.

According to a study conducted by the Ponemon Institute, an independent information practices research group, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006.

The average total cost for a data breach in 2007 was $6.3 million, up from $4.8 million in 2006.

The study suggests that lost data translates to lost business opportunity. This mainly comes in the form of customer churn and customer acquisition costs, which rose from $98 per record in 2006 to $128 in 2007 -- a 30% increase.

Other costs include reputation management and customer support costs such as information hotlines and credit monitoring subscription for victims.

"In the past, there hasn't been the evidence to say that people are losing customers due to a breach," said John Dasher, director of product management for encryption technology company PGP Corporation. "I think that's changing."

Dasher attributes this to greater awareness of security issues and less tolerance of security issues on the part of the public.

The study found outsourcing to be a significant and growing source of risk. Breaches attributable to third-party organizations -- outsourcers, contractors, consultants, and partners -- were reported by 40 percent of respondents, an increase of 29% from 2006.

And in such cases, the breaches were more expensive, costing companies an average of $231 per customer record lost, compared to $171 when no third-party was responsible.

"If you outsource [and there's a data breach], your costs are more than if you didn't," said Dasher, who sees this as a consequence of IT trying to do more with less. "The outsourcers themselves appear to not be immune to poor security practices."

Legal costs associated with data breaches and public relations costs rose 8% and 3% respectively of total breach costs, according to the study.

The study indicates that laptops, thumb drives and mobile devices account for 49% of all breaches in the 2007 sample. About 18% of data breach incidents were attributable to a malicious attack (a virus or spyware, for example) or a malicious insider.

The study's findings aren't all bad news: The cost of data breach notification dropped by 15%. Dasher attributes this to organizations being more focused in their response.

PGP Corporation and data loss protection company Vontu (recently acquired by Symantec) sponsored the study. Both companies make products designed to mitigate data breach risks.

The study is based on analysis of 35 data breach incidents in the U.S. which range in scope from losses of fewer than 4,000 records to more than 125,000 records.

More than 216 million customer records have been exposed or lost in data breaches since 2005, according to Privacy Rights Clearinghouse, a privacy advocacy organization.

In late October, the U.K. government acknowledged losing data on more than 25 million of its citizens.

The Ponemon Institute plans to release a study of U.K. data breaches in January.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights