Study: Breaches Cost $214 Per RecordCost of Breaches in All Industries Up 5% in 2010
The benchmark study, sponsored by Symantec, was based on an analysis of 51 companies in 15 industries, including healthcare, financial services and the public sector. It found that these companies spent, on average, $7.2 million per data breach incident in 2010, up 7 percent from 2009.
Indirect breach costs, such as the loss of customers, outweigh direct costs by nearly two to one, according to the study. But direct costs rose five percentage points to account for 34 percent of total costs in 2010, primarily because of increased legal defense expenses.
"The sharp growth in direct costs and slight but persistent decrease in indirect costs over the past three years may indicate that companies are taking their response to data breaches more seriously than ever," according the report's executive summary.
Breach CausesAmong the report's other key findings:
- The leading cause of breaches is negligence, accounting for 41 percent, up from 40 percent in 2009. The cost of these breaches averaged $196 per record, up 27 percent from 2009.
- Of the various causes of data breaches, malicious or criminal attacks increased the most in 2010, now accounting for 31 percent of breaches. And these breaches result in the highest costs; the cost per compromised record of a data breach involving a malicious or criminal act averaged $318, up 48 percent from 2009.
- For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in total data breach cost, the study shows. The industries with the highest 2010 churn rates were pharmaceuticals and healthcare. The public sector had one of the lowest churn rates.
- Some 43 percent of companies studied notified victims within one month of discovering a breach in 2010, up from 36 percent a year earlier. These quick responders had a per-record cost of $268, compared to $174 per record for slower responders. "The notable increase in companies responding quickly to breaches, despite the additional cost, may reflect pressure companies feel to comply with commercial regulations and state and federal data protection laws," the report states.
- Protecting against viruses, malware and spyware infection was the No. 1 data protection priority for the studied companies in 2010.
- Training and awareness programs remained the most popular post-breach remedies in 2010, mentioned by 63 percent. Expanded use of encryption was the second most popular, at 61 percent.
- About 88 percent of those surveyed had at least one data breach in 2010, up slightly from 2009. The most expensive data breach in this year's study cost a company $35.3 million to resolve; the least expensive cost $780,000.