Study: Data breaches leading to higher costs, customer churn

Study: Data breaches leading to higher costs, customer churn

Summary: The average cost of a data breach incident was $6.3 billion in 2007, up from $4.


The average cost of a data breach incident was $6.3 billion in 2007, up from $4.8 million in 2006, according to a study. But the real impact of a data breach can be found in customer churn rates.

The study, conducted by the Ponemon Institute and sponsored by PGP and Vontu, had the following high level results:

  • Costs per breached record in 2007 was $197, up from $182 in 2006;
  • The cost of lost business averaged $4.1 million in 2007 and represented most of the average cost per incident;
  • Breaches by third party organizations such as outsourcers, consultants and contractors were reported by 40 percent of the respondents, up 29 percent in 2006;
  • Notification costs fell to $15 per customer in 2007, down from $25 in 2006 as companies had more measured responses to each breach.

But the real statistic to watch is customer churn rates following a data breach. According to the Ponemon study, which conducted interviews with 35 respondents that lost anywhere from 4,000 to 125,000 records, the average churn rate for companies hit with a data breach was 2.67 percent. That's up from 2.01 percent in 2006.

The bright side with that churn figure: Customers are voting with their dollars after a data breach. "As the churn increases more dollars have to be invested in new customer acquisition," says John Dasher, PGP director of product management. "Churn numbers are something companies really pay attention to. A lot of the financial modeling depends on those numbers."

The churn figures are also magnified for other verticals. The churn rate for financial services companies was 3.64 percent while retailers had a churn rate of 2.81 percent. Other sample sizes were too small to garner churn rates.

Other odds and ends:

Financials services firms had the highest cost per lost record at $239;


Companies still can't hang on to their laptops. Almost half of the data breaches were due to lost and stolen laptops and USB drives.


Topics: Laptops, Banking, Data Centers, Enterprise Software, Hardware, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Misleading stats

    1) Self reporting stats are lower than reality because people don't like to admit failures and tend to minimize the extent, damage and cost.

    2) The numbers are low because most data breaches are not detected. The only reasion that some are, is because the hardware is missing as well. Hence your high stats for Laptops and USB's. If the hardware were not missing they probalby would not have known their data was beached.

    3) Stats for cost per record are the wrong metric. By loosing a bigger data set you reduce the cost per record. Heck if we lose a real big data set maybe we can bring the cost per record down to almost nothing at all. Better to rank cost by incident, because then you can match that up with the cost that should have been spent up front to plug the hole.