June 19, 2013, 12:50 PM — Two weeks ago, while we at TY4NS and everyone else were still hacking our way through the weeds of the NSA spying scandal, Symantec and the Ponemon Institute released their 8th annual global report on the cost of data breaches.
Bottom line: Data losses cost companies big. In fact, on average, it costs $136 for every record lost. And that financial disincentive is what spurs many of them to be better stewards of our data (or at least try harder).
Ponemon surveyed nearly 300 companies across nine countries. All of these companies had lost more than 1000 customer records and less than 100,000. If you included companies that suffered massive breaches – like Sony Networks’ loss of 100 million+ user accounts in 2011 – the average loss per record drops by about 75 percent, says Larry Ponemon, chairman of the Institute that bears his name. But these massive breaches happen so rarely that including them would skew the results.
As over the last couple of surveys, the two most expensive countries remain Germany and the US. It costs German companies an average of just under $200 for every record lost. In the US, that figure is $188. On the low end of the scale sit countries like Brazil ($58 per) and India ($42). (Symantec offers a Data Breach Calculator where you can guesstimate the cost of your organization’s data losses.)
Why the disparity in costs? One reason is that the US and Germany are among the most heavily regulated when it comes to data breaches. Victims in the US and Germany are required by law to be notified quickly when their data is lost. That requires an investment in time and people. In order to save face following a major data loss, many companies will also foot the bill for identity theft monitoring services.
The biggest source of loss, though, is customer churn. When a company loses data, many customers will leave and take their business elsewhere, forcing the companies to spend more money acquiring new customers and repairing their damaged reputations, adds Ponemon. Of course, when companies aren’t required to notify anyone, they lose fewer customers – another reason why enterprises operating in less regulated environments incur lower costs (and, I’d guess, are more blasé about it).
Follow Dan on Google+
