Companies get proactive as data breach costs continue to rise

The Ponemon Institute's fifth annual report on the costs of data breaches reports some new findings for 2009.

What's the real cost of a data breach? After all, when someone hacks into your data, there are of lot of hidden costs that go beyond plugging the hole in the data file. Customers might jump ship if they feel their data is not safe with you. Employees will need training and education on how to protect data in the future. And you might be forced to cough up money for technologies that protect the data in the event of another attack.

The Poneman Institute today released its annual study, called Cost of a Data Breach, which surveyed 45 companies in 15 different industry sectors to understand the true costs - not hypothetical ones - that stem from a data breach.

Among the findings of this year's study:

The cost of a data breach continued to rise for U.S. companies. The average organizational cost of a data breach increased about 2 percent, from $6.65 million in 2008 to $6.75 million in 2009. The most expensive data breach in this year's study cost one organization a whopping $31 million.

Companies are no longer just reacting to breaches but instead are getting proactive by implementing training and awareness programs, additional manual procedures and controls and expanded use of encryption, identity and access management tools and other security measures.

Data breaches from attacks and botnets doubled from 2008 to 2009 and cost more than those caused by human error or system hiccups. For data breaches involving a malicious act, the cost per compromised record averaged $215, 40 percent more than those involving a negligent insider ($154) and 30 percent more than those caused by system glitches. ($166).

Having a dedicated person on staff to manage data breach incidents helps. Companies with such a person reported average cost per compromised record at $157, 50 percent lower than the $236 for companies without such a person.

Notifying victims right away could cost more. Quick responders who notified their victims within a month of a breach paid 12 percent more than their slower-moving counterparts. Moving too quickly - especially during the detection, escalation and notification phases - may cause inefficiencies that add up.

The breaches in the survey ranged from about 5,000 records to more than 101,000 records.