Don’t Be Too Hasty Following Data Breaches Warns Analyst

Data breaches are not getting any cheaper to deal with, and companies that jump the gun on notifications can end up paying the most.

In its fifth annual study on data breaches, the Ponemon Institute discovered that about 36 percent of participants notified their breach victims within one month, but ended up paying $219 (£135) per compromised record as opposed to the $196 paid by others. According to the study, a reason for this may be that companies moved too quickly through the process of detection, notification and related activities, and made costly mistakes along the way.

“Panicking and making decisions before all the facts are accurately determined may result in extending credit services to individuals who may not have been affected in any way that would put their credit at risk, for example,” noted Mike Spinney, senior privacy analyst with Ponemon. “Initial assessments may have indicated 100,000 folks, but in reality only 50,000 were on the missing disk … that kind of thing can result in wasted money and effort in making notice.”

Overall, the report found the average cost of a breach in 2009 rose to $204 per compromised record, up from $202 in 2008. The PGP-commissioned study also found that the average organisational cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009.

According to the report, the biggest driver of data breach costs is the loss of existing and future customers, which is referred to as the “abnormal churn rate.” The industries with the highest churn rates—all standing at 6 percent—were pharmaceuticals, communications and health care. The financial services industry had a churn rate of 5 percent. Overall, the average abnormal churn rate across all industries stood at 3.7 percent in 2009, 0.1 percent higher than in 2008.

“Customers are increasingly aware of and expecting a secure level of protection and privacy for the data they entrust to businesses,” PGP CEO Phillip Dunkelberger said in a statement. “Our study with the Ponemon Institute continues to demonstrate that companies whose data is not protected are not only facing expensive direct costs from cleaning up a data breach, but also a loss in customer confidence that has long-lasting ramifications.”

While breaches caused by negligent insiders decreased, the portion caused by malicious criminal attacks and botnets rose to 24 percent in this year’s study—double the percentage from 2008. The cost of falling victim to such an attack, $215 per record, is roughly 40 percent higher than the cost of a breach involving a negligent insider, the study found.

Meanwhile, businesses seem to be investing more heavily in technology to deal with the problem. Use of encryption (58 percent), identity and access management (49 percent), and data loss prevention products (42 percent) all increased among study participants.

“Any effective data security strategy requires a balance of technology, awareness and education as it relates to a company’s policies and procedures,” Spinney told eWEEK. “I believe the increase in breaches due to malicious attacks reveals an improvement in an organisation’s ability to detect such attacks, but it does not necessarily suggest that individuals are more vigilant. Awareness is an ongoing effort and one of the least costly components of an effective data security strategy.”