Data breach costs rise with criminal attacks

Criminals are driving up the cost of data breaches for U.S. business, according to researchers at the Ponemon Institute and Symantec.
Written by John Hazard, Contributor

Criminals are driving up the cost of data breaches for U.S. business, according to researchers at the Ponemon Institute and Symantec.

The U.S. Cost of Data Breach survey released today by the Ponemon Institute and sponsored by Symantec, showed the cost of a data breach rose for the fifth straight year to an average $7.2 million per incident, up 7 percent from 2009. That's $214 for every compromised customer record breached.

The most expensive breach reported in 2010 was $35.3 million, and the least expensive was $780,000, both up from the previous year.

A key factor in the rising cost is the fact that criminals account for a larger share of the data breaches and they significantly more expensive to contain and fix.

Deliberate, criminal attacks rose nearly 30 percent last year, now accounting for 31 percent of all attacks (negligence, like lost hard drives or document, still accounts for 41 percent of breaches) and the cost of malicious attacks is is rising even faster,  jumping 48 percent, to an average of $318 per compromised, wrote Dr. Larry Ponemon, founder and chairman of the institute, on his blog.

Malicious attacks create more costs because they are harder to detect, the investigation is more involved and they are more difficult to contain and remediate. Another reason malicious attacks are so expensive is the criminal is out to monetize their work; they're trying to profit off the breach.

Other factors behind rising costs:

Better awareness: Breaches are less likely to go undetected and/or unreported. This is motivated by the threat of potential legislation and legislation. So far, 46 U.S. states have passed such measures, with varying definitions of a breach, deadlines for notifying customers and punishments for failing to comply."

Faster (costlier) response: More companies favor a rapid response. This 43 percent of companies notified customers within 30 days.

From Dr. Ponemon's blog:

"For the second year, we've seen companies that quickly respond to data breaches pay more than companies that take longer. This year, they paid 54 percent more."

From Bloomberg:

"One of the factors that's raising the costs is the detection, forensics and upfront work to get to the bottom of the issue," said [Ponemon]. "As more malicious attacks come online, organizations are paying more attention and are investing in their networks."

There are also dozens of indirect costs like loss of customers and better preparation required to meet potential threats -- detection and escalation costs went up by 72 percent, suggesting that companies are investing more resources in prevention and detection.

From InformationWeek:

Encryption has become more popular lately because data breach regulations often exempt companies from notification requirements if the lost data was encrypted.

This trend is partially reflected in the survey, which found: an increase in the number of organizations with an "above average IT security posture"; a decrease in breaches due to system failure, lost or stolen devices, and third-party mistakes; and more companies responding faster and putting [Chief Information Security officers] in charge of response management.

After five years of growth, the cost of data breaches is expected to retreat, according to Pokemon.

Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won't care anymore.

But, that hasn't happened yet...

Related Content:

Editorial standards