Each Data Breach Costs UK Firms £1.9m

The cost of data breaches in the UK is continuing to rise, with those caused by malicious or criminal attacks costing more than any other, according to new research by the Ponemon Institute.

The average data breach costs UK organisations £1.9 million, an increase of 13 percent from 2009, and 18 percent from 2008. The report, which was sponsored by Symantec, found that incidents ranged from 6,900 to 72,000 records, with the cost of each breach varying from £36,000 to £6.2 million.

“Securing information clearly continues to challenge organisations at all levels,” said Robert Mol, director of EMEA product marketing for Symantec. “Information-savvy organisations are protecting the data itself wherever it is stored or used, and also creating a culture of security including training, policies and actions.”

Policy and IT failure

The research found that system failure had overtaken ‘the negligent insider‘ as the most common threat, with 37 percent of all cases involving a failure of policies or technology. Meanwhile, the problem of employee negligence dropped 11 points from 2009, to represent 34 percent of data breaches. The sharp drop in breaches due to negligence may be due to increased awareness of data breaches and more conscientious efforts to prevent them, the report stated.

While hostile attacks – like the Gawker Media hack in December 2010 – accounted for just 29 percent of all data breaches, they were by far the most expensive, costing an average of £80 per record. This is compared to £74 for breaches from third-party mistakes, £72 for data on lost or stolen devices, £66 for negligence and £59 for system failures. This is largely due to indirect costs, such as lost customer business due to ‘churn’ and customer acquisition costs, the report found. Indirect costs in 2010 accounted for 46 percent of the total cost of a data breach, up 10 percent from 2009.

Ironically, however, those companies that responded quickly to data breaches ended up paying more than those that waited more than a month to report the breach. This is a reversal from last year when faster companies benefited from 19 percent lower costs by reporting earlier.

This may be a result of regulatory compliance pressures, after the Information Commissioner’s Office (ICO) was given greater powers of regulation in 2010. Companies that fall foul of the data breach laws now risk a maximum fine of £500,000, although few penalties have been issued.

Increased regulation

“Regulators are cracking down to ensure organisations implement required data security controls or face harsher penalties,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. Confronted with both malicious and non-malicious threats from inside and outside the organisation, companies must proactively implement policies and technologies to mitigate the risk of costly breaches.”

The ICO issued its first data loss fines in November 2010, after months of apparent inaction. Hertfordshire County Council was ordered to pay a fine of £100,000 for revealing details of a sex abuse case to a member of the public, and employment agency A4e was fined £60,000 for losing a laptop which contained the unencrypted details of thousands of people.

More recently, Ealing Council was hit with a £80,000 fine and Hounslow Council was charged £70,000, for losing laptops that contained sensitive personal data. Deputy ICO commissioner David Smith said the two councils were paying the price for lax data protection practices.