Information Technology Topics

Information Technology

Third Annual UK Ponemon Study Shows the Cost of a Data Breach Continues to Increase

2010 FEB 9 - (VerticalNews.com) -- Privacy and information management research firm Ponemon Institute, together with PGP Corporation, a global leader in enterprise data protection, announced the results of the third annual study into the costs incurred by UK organisations after experiencing a data breach. The "2009 Annual Study: UK Cost of a Data Breach" report, compiled by the Ponemon Institute and sponsored by PGP Corporation, found that each lost customer record cost on average 64 pounds Sterling in 2009, a seven percent increase on 2008's figure of 60 pounds. In 2007 the cost per lost record stood at just 47 pounds. Lost business due to reduced consumer trust was the main contributor to this expense, making up 29 pounds per record.

The 2009 study is the first report of its kind to quantify the costs associated with both public and private sector breaches. The research showed that UK public organisations faced average costs of 59 pounds per lost record. While the financial impact of lost business is substantially lower for public bodies than for commercial firms, the costs associated with detecting and escalating a breach, with notifying citizens and dealing with subsequent enquiries, are all substantially higher in the public sector, and are the principle contributors to the overall costs. In comparison, the cost per lost record in the commercial sector stood at 69 pounds per record.

"This third annual study shows that the financial impact of data breaches is hitting UK organisations harder and harder each year," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "In the commercial sector the costs associated with customer churn and attracting new customers are particularly acute, but our research suggests these firms are getting better at detection, remediation and customer communications. However, these efficiencies aren't shared in the public sector, where the direct costs of a data breach are significantly higher. For example, the cost of notifying users that their records might have been compromised is more than four times higher for public organisations than for private firms."

The report focuses on the cost of activities resulting from real life data loss incidents occurring between May 2009 and January 2010. A total of 33 UK organisations - 25 from the private sector and eight from the public sector - participated in the research, revealing breach events of between 5,200 and 60,000 personally identifiable information records. These breaches cost between 365k pounds and 3.92 million pounds to manage, at an average of 1.68 million pounds.

A copy of the study, including a full breakdown of the various direct and indirect costs impacting organisations, is available from PGP Corporation at: http://www.encryptionreports.com/2009cdb.html

Factors impacting data breach costs

The 2009 study shows that the root cause of a data loss incident, and an organisation's reaction to the loss, directly affected the overall cost of the breach. When a third party was responsible for the loss, per record costs climbed to an average of 81 pounds. Organisations which fell victim to a malicious or criminal attack also sustained higher costs, with per capita costs rising to 76 pounds. The financial impact was also greater for those organisations experiencing their first ever breach, or suffering an incident as a result of a lost or stolen laptop.

Conversely, there were several factors that proved to reduce the overall financial impact of a data breach. Organisations which responded quickly to a loss incident, notifying customers of the breach with one month of detection, incurred costs of just 56 pounds per record, 8 pounds lower than the overall average. If the chief information security officer, or equivalent, took personal responsibility for managing the incident, costs dropped to 59 pounds per victim. Firms employing external consultants to assist in the management of the breach saw per record costs fall to an average of 60 pounds.

Keywords: Data Loss, Data Management, Data Protection, Data Security, Encryption, Finance, Financial, Information Encryption, Information Management, Information Security, Information Technology, Investing, Investment, PGP Corporation.