Companies that fail to prevent data breaches will pay higher costs to repair the damage in 2008, according to a recent report. Data breach incidents will also cost these companies additional revenue from lost business opportunities and reduced customer retention.
Data breaches cost companies US$197 per compromised customer record in 2007, compared to $182 in 2006. In addition, lost business opportunities, including losses associated with customer churn and acquisition, were the biggest affected areas of cost increase.
These costs rose from $98 in 2006 to $128 in 2007, a 30 percent increase, according to research conducted by the PGP Corporation and released Wednesday.
“A good 80 percent of these breaches resulted from human factors such as lost notebook computers and tiny thumb drives rather than deliberate theft or hacking,” John Dasher, PGP Corporation’s director of product management, told the E-Commerce Times. PGP, a provider of e-mail and data encryption software for enterprise data protection, sponsored the research.
The PGP study examined the financial consequences of data breaches involving consumers’ personally identifiable information disclosed in actual data breaches at 35 U.S. organizations across industries ranging from financial services to retail, health care and software. Some breaches involved fewer than 4,000 records; others exceeded 125,000 records.
The study tracked a wide range of cost factors, including legal, investigative and administrative expenses. It also assessed the impact of customer defections, opportunities lost, reputation management and costs associated with customer support such as information hotlines and credit monitoring subscriptions.
The average total per-incident cost in 2007 was $6.3 million, compared to an average per-incident cost of $4.8 million in 2006. In addition, the cost of lost business increased by 30 percent to an average of $4.1 million in 2007, approximately two-thirds of the average total cost per incident.
Another key finding was a 40 percent increase in breaches by third-party organizations such as outsourcers, contractors, consultants and business partners. This was a 29 percent hike over 2006. Breaches by third parties were also more costly than breaches by the enterprise itself, averaging $231 compared to $171 per record, according to the report.
A separate report issued by data loss prevention firm Vontu and privacy and information management research firm The Ponemon Institute showed that 62 percent of respondents have been notified that their confidential data has been lost, and 84 percent of those respondents reported increased concern or anxiety due to data loss events.
The 2007 Consumer Survey on Data Security reported that breach notification costs fell 40 percent, decreasing from $25 per customer in 2006 to $15 in 2007. This suggests that companies that suffer a data breach developed a more measured, less reactive breach response, the survey concluded.
The survey also revealed that data breaches are affecting consumers’ trust. The bottom line is an impact on customers’ buying behavior, according to the Ponemon Institute.
Though data breaches will no doubt continue to occur in 2008, these two studies suggest that how companies deal with the follow-up procedures is changing.
“Some companies respond better than others. Generally, we are seeing more maturity about how to handle a breach. Companies have advanced beyond sending customers a $10 gift card for their inconvenience,” said Dasher.
The No. 1 response reflected in the studies showed that companies now understand where they need to head, he added.
As a result, consumers should expect to see more data breaches disclosed in 2008. This will happen, in a large degree, because companies recognize the signs.
“Once a company has a breach, it also is better able to identify new breaches more than before,” said Dasher.
Wake-Up Call or Snooze Alarm?
These two industry reports on data breach loss are contributing to a wake-up call among enterprises, Dasher believes.
“Three years ago, a vice president of marketing was not aware of what was happening at the IT level. Now marketing departments care a lot more about security issues. They don’t want to spend their budget share on security issues,” Dasher said.
However, the Ponemon Institute’s survey chairman asserts that the real wake-up call about data breach loss already took place in February of 2005.
“Our study, however, should serve as an annual snooze alarm to remind companies that there is a real and substantial cost for data security negligence. We see that companies are prone to making investments in data protection after a breach when those measures would have been better spent in advance,” Larry Ponemon, chairman and founder of the Ponemon Institute, told the E-Commerce Times.
Security involves more than crossing your fingers, which is a poor substitute for solid data security policies, procedures and technology, he explained. What is needed is a workforce trained and aware of the their role in the data security chain.
No Attack Plan
Data breaches are more often caused by human error rather than deliberate hacker attacks. Some 96 percent of breaches are caused by the failure to adequately enforce data security policies, the Ponemon/Vontu research revealed.
“Most data breaches are, in fact, the result of human error — good people doing dumb things — or broken business processes. But since we now live in a wide open world of high-speed bandwidth, low-cost storage and a mobile workforce, the consequences of such errors are much more severe,” Steve Roop, vice president of products and marketing at Vontu, told the E-Commerce Times.
Examples include an employee sending the payroll master list to a home e-mail account in order to work on it over the weekend, or a salesperson e-mailing the customer list from an Internet cafe. Technology has created this problem, and technology must play a part in solving it, according to Roop.
“Because of the constant drumbeat of breaches, the good news is that companies are now aware that they need to be on the lookout for errors and broken business processes that would lead to a breach. They now have better visibility into their data loss problem,” Roop added.
The next step for these newly aware organizations is to deploy data loss prevention technologies that automatically protect confidential information and prevent its loss, Roop suggested. Best practices are all about risk reduction, he said.
“By implementing best practices, they are able to reduce the risk of a data breach by more than 90 percent. In a best-practice scenario, the malicious employee or hacker becomes a lot easier to detect and stop,” Roop explained.
Another needed strategy is for companies to invest in good data security policies, procedures, technology and training before a breach event occurs, Ponemon suggested. He also promoted engaging in contingency planning to create a well thought-out map to follow in case a breach event occurs.
“I’m still shocked at the level of complacency that exists. I think there’s fear that introducing new security measures will make life incredibly complicated, but something as simple as good encryption won’t disrupt business, and it could make life a whole lot easier in the long run,” he explained.