March 22, 2012, 7:32 AM — For the first time in seven years—and despite numerous high-profile incidents—the average cost of a data breach fell in 2011, according to new findings released by Symantec and the Ponemon Institute.
"Nearly shocking to me, the cost of data breach declined," says Dr. Larry Ponemon, chairman and founder of research think tank Ponemon Institute. "It's still not chump change."
The study found the average organizational cost per data breach was $5.5 million in 2011, down 24% from $7.2 million in 2010. Additionally, the cost per compromised record fell to $194 per record, down $20 (10%) from 2010. That's the lowest cost per compromised record since 2007.
Ponemon Institute has conducted this benchmark study for seven years using the activity-based costing model developed by Harvard University Professor Robert S. Kaplan. Dr. Ponemon explains the model starts with the detection or study of a data breach incident and takes into account forensic and investigative activities, incident response, notification, legal, consulting, outbound communication and call center activities, activities to maintain customer confidence and trust, direct churn, secondary churn and increased customer acquisition costs. The study investigated 49 actual data breach incidents across 14 industry sectors in the U.S.
A decline in lost business costs—abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill—drove the overall decline in data breach costs. Lost business costs fell to $3.01 million in 2011, down 34% from $4.54 million in 2010.
Data Breach Notifications Too Rapid?
While the decline in costs should benefit businesses, the reason for the decline may not be so reassuring.
"I think the root cause is that people are maybe becoming a little numb to the notification," Dr. Ponemon says when asked to speculate on the driver for the decline in lost business costs. "Maybe most of us by now have received one if not more notifications. Over time, if you don't become a data breach victim as a result of the event, it begins to lose its impact. These notifications are becoming almost ubiquitous. It's hard to determine which ones I should care about."
And, in fact, notification costs were up 10% in 2011, from $511,454 in 2010 to $561,495 in 2011. Dr. Ponemon noted that new laws and regulations governing data breach notification played a role in that increase.