Breaches cost UK companies £64 per record

The cost of data breaches for British businesses is less than half that for the US, but tighter disclosure regulations could change all that, according to PGP

UK organisations see among the lowest costs in the developed world for data breaches, but this could change as more stringent disclosure regulations come into force, according to a new report.

The study, released on Wednesday by encryption company PGP, found that data breaches cost British organisations an average of $98 (£64) per record compromised, with the average total cost of a breach set at $2.57m. By comparison, US companies had the highest cost per record at $204, with a breach at $6.75m. The average worldwide was $142 per record and $3.43m per incident.

The different levels are largely down to differences in the disclosure regulations in the countries participating in the study, PGP said. The Ponemon Institute conducted the research, gathering 2009 data from 133 organisations across 18 industry sectors, located in Australia, France, Germany, the UK and the US.

"The over-arching conclusion from this study is the staggering impact that regulation has on escalating the cost of a data breach," Larry Ponemon, chairman of the institute, said in a statement. "The US figures are testament to this, and it's clear that, as and when breach notification laws are introduced across the rest of the world, other countries will follow the same pattern and costs will rise."

PGP noted that in the US, 46 states have introduced laws forcing organisations to publicly disclose the details of breach incidents. The study found that the cost per record in the US is 43 percent higher than the global average.

Similar notification laws were passed in Germany in July 2009. Costs there were second highest, at $177 per record, or 25 percent above average.

By contrast, Australia, France and the UK do not yet have data breach notification laws, and costs in all three countries were below average. In France, the cost per record was $119, and it was $114 in Australia.

In the UK, only public sector and financial organisations face regulatory pressure to disclose breaches. The financial cost for British organisations was 45 percent below the global average and less than half that incurred by US businesses.

That could change with increased pressure to make UK disclosure laws more stringent, according to Jonathan Armstrong, a technology lawyer at Duane Morris.

"With the UK Information Commissioner's Office (ICO) toughening its stance on data protection — imposing hefty fines and scrutinising more and more organisations — it will be interesting to see how steeply UK costs rise in the future," Armstrong said in a statement.

On Wednesday, the ICO said the NHS reported the highest number of serious data breaches of any UK organisation since the end of 2007, with 287 breaches, or more than 30 percent of the total number reported. The high proportion was partly due to the fact that few private-sector firms report data breaches, the ICO said at the Infosecurity Europe 2010 conference in London.

When losses are the result of malicious or criminal activities, the costs are higher, according to the PGP report. In France, where 35 percent of breaches were caused by such attacks, this factor increased the amount by 121 percent.

In the UK, 24 percent of losses were due to crime, leading to a cost increase of 25 percent. The bottom-of-the-league US saw the same percentage due to criminal activity, but only saw a cost increase of 7 percent.

Another factor was the cost of detecting and escalating a breach, including investment in the new technologies and processes required to comply with new regulations.

In Germany, where breach disclosure laws are recent, firms spent $52 per record on detecting and escalating breaches, the most of any of the countries studied. That compares with $18 per record in the UK.

Once systems are in place, the amount spent on detection and escalation processes falls rapidly, according to the report. PGP noted that in the US, the extra amount was only $8 per record.

"French, Australian and UK firms should expect their costs to follow the same trend, initially rising in order to ensure compliance with emerging regulations and then declining once processes become more refined," PGP said in a statement.

The study, released at the Infosecurity conference, is available via the Ponemon Institute's website.