Study: Data breaches leading to higher costs, customer churn

The average cost of a data breach incident was $6.3 billion in 2007, up from $4.

The average cost of a data breach incident was $6.3 billion in 2007, up from $4.8 million in 2006, according to a study. But the real impact of a data breach can be found in customer churn rates.

The study, conducted by the Ponemon Institute and sponsored by PGP and Vontu, had the following high level results:

  • Costs per breached record in 2007 was $197, up from $182 in 2006;
  • The cost of lost business averaged $4.1 million in 2007 and represented most of the average cost per incident;
  • Breaches by third party organizations such as outsourcers, consultants and contractors were reported by 40 percent of the respondents, up 29 percent in 2006;
  • Notification costs fell to $15 per customer in 2007, down from $25 in 2006 as companies had more measured responses to each breach.

But the real statistic to watch is customer churn rates following a data breach. According to the Ponemon study, which conducted interviews with 35 respondents that lost anywhere from 4,000 to 125,000 records, the average churn rate for companies hit with a data breach was 2.67 percent. That's up from 2.01 percent in 2006.

The bright side with that churn figure: Customers are voting with their dollars after a data breach. "As the churn increases more dollars have to be invested in new customer acquisition," says John Dasher, PGP director of product management. "Churn numbers are something companies really pay attention to. A lot of the financial modeling depends on those numbers."

The churn figures are also magnified for other verticals. The churn rate for financial services companies was 3.64 percent while retailers had a churn rate of 2.81 percent. Other sample sizes were too small to garner churn rates.

Other odds and ends:

Financials services firms had the highest cost per lost record at $239;


Companies still can't hang on to their laptops. Almost half of the data breaches were due to lost and stolen laptops and USB drives.