Rise in the cost of data breaches

By | October 23, 2006

PGP Corporation and The Ponemon Institute, a privacy and information management research firm, released the 2006 Annual Study: Cost of a Data Breach.

This benchmark analysis details the financial impact of data loss incidents on affected companies. Initiated in 2005, the study examines all financial consequences of data breaches involving consumers’ personally identifiable information. According to the Privacy Rights Clearinghouse, more than 330 data loss incidents involving more than 93 million individual records have occurred since February 2005.

According to the study’s 2006 findings, data breaches cost companies an average of $182 per compromised record, a 31 percent increase over 2005. The Ponemon Institute analyzed 31 different incidents for the study. Total costs for each ranged from less than $1 million to more than $22 million.

The 2006 Cost of a Data Breach Study tracks a wide range of cost factors, including legal, investigative, and administrative expenses, as well as stock performance, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. “The burden companies must bear as a result of a data breach are significant, making a strong case for more strategic investments in preventative measures such as encryption and data loss prevention,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. “Tough laws and intense public scrutiny mean the consequences of poor security are steep—and growing steeper for companies entrusted with managing stores of consumer data.”

A separate report recently issued by Vontu and The Ponemon Institute, U.S. Survey: Confidential Data At Risk, demonstrates that companies do not have adequate controls over the storage of sensitive or confidential data at rest. In that study, 81 percent of respondents reported that their organizations have experienced one or more lost or missing laptop computers that contained sensitive or confidential business information in the past 12-month period.

Leave a Reply