How much do data breaches cost? More than you think

Data spills cost US companies nearly $200 per record lost -- a good reason why organizations need to do a better job of protecting our data.

Two weeks ago, while we at TY4NS and everyone else were still hacking our way through the weeds of the NSA spying scandal, Symantec and the Ponemon Institute released their 8th annual global report on the cost of data breaches.

Bottom line: Data losses cost companies big. In fact, on average, it costs $136 for every record lost. And that financial disincentive is what spurs many of them to be better stewards of our data (or at least try harder).

Ponemon surveyed nearly 300 companies across nine countries. All of these companies had lost more than 1000 customer records and less than 100,000. If you included companies that suffered massive breaches – like Sony Networks’ loss of 100 million+ user accounts in 2011 – the average loss per record drops by about 75 percent, says Larry Ponemon, chairman of the Institute that bears his name. But these massive breaches happen so rarely that including them would skew the results.

symantec ponemon cost of data breaches AGAIN 600p.png

As over the last couple of surveys, the two most expensive countries remain Germany and the US. It costs German companies an average of just under $200 for every record lost. In the US, that figure is $188. On the low end of the scale sit countries like Brazil ($58 per) and India ($42). (Symantec offers a Data Breach Calculator where you can guesstimate the cost of your organization’s data losses.)

Why the disparity in costs? One reason is that the US and Germany are among the most heavily regulated when it comes to data breaches. Victims in the US and Germany are required by law to be notified quickly when their data is lost. That requires an investment in time and people. In order to save face following a major data loss, many companies will also foot the bill for identity theft monitoring services.

The biggest source of loss, though, is customer churn. When a company loses data, many customers will leave and take their business elsewhere, forcing the companies to spend more money acquiring new customers and repairing their damaged reputations, adds Ponemon. Of course, when companies aren’t required to notify anyone, they lose fewer customers – another reason why enterprises operating in less regulated environments  incur lower costs (and, I’d guess, are more blasé about it).

One interesting thing to note, says Ponemon, is that in the US the cost per record lost has been steadily dropping -- from a high of $215 just two years ago to $188 today. The reason?

"My personal belief is that we’ve had quite a few people who’ve been notified their data was breached, but relatively few cases of identity theft arising from them,” says Ponemon. “People are becoming immune to it.”

In other words, customer churn resulting from data breaches has dropped by about 13 percent. He adds that when a company is hacked, people hold it less responsible than companies that lost data through sheer negligence, and are less likely to switch allegiances.

Which brings me to the second part of the survey that I found interesting: the causes of data loss. It’s not gangs of Eastern European digital criminals or script kiddie hackers or Chinese cyber spies; it’s you and me. 

symantec ponemon cause of breaches 600p.png

Human error – like losing a thumb drive or a smart phone with customer data on it – accounts for about a third of all losses. Another third is caused by problems with the systems that contain the data. Losses resulting from hackers and malware are the costliest of the bunch, but they’re far less common.

“There’s a lot of sizzle about cybercrime, but in reality, two thirds of data breaches are due to mistakes made by people – either through personal negligence or a systems glitch,” says Ponemon.

Data spills are inevitable. The best way to minimize the damage is to having a contingency plan in place to clean up the mess, as well as someone like a Chief Information Security Officer in place who’s responsible for dealing with them, says Linda Park, product marketing manager for Symantec’s data loss prevention group.

That or move your entire operation to India. Your call.

Got a question about social media or privacy? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blogeSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Now read this:

Web trackers are totally out of control

Further adventures in data mining, or welcome to my Lear Jet Lifestyle

Four reasons why Do Not Track turned into Do Not Trust

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon