Complain about a product or service

Study: Data Breaches Getting More Expensive

By Martin H. Bosworth
ConsumerAffairs.com

October 24, 2006

Data Theft • T-Mobile: No Hacking in Data Breach • T-Mobile Confirms Data Breach • Consumers Increasingly Concerned About Online Transactions • Are Identity Theft Services Worth the Cost? • Online Tools Help Spot Financial Fraud • Financial Fraud Hits 7.5 Percent Of Americans In 2008 • Feds Charge Mortgage Broker In Potential Data Breach • Millions of Credit Cards Exposed in Data Breach • 2008 Data Breach Total Soars • Bank Data Breach Threatens 248,000 in North Carolina • GPS Not Foolproof • Countrywide Warns Millions of Data Breach • Thieves Steal AT&T Laptop with Employee Data • Report: Data Breach Disclosure Laws Don't Affect Identity Theft • Patient Information Exposed in Data Breach at Walter Reed • Supermarket Chain Reports Data Breach • Report: Feds Still Not Doing Enough To Secure Data • Data Thieves Hit Georgetown University Students, Faculty • 800,000 Job Seekers At Risk In Gap Data Breach • TJX Data Breach Settlement Has Strings Attached • More ...

One of the many problems with breaches of personal data is that offending companies don't consider it a big enough expense to worry about.

The standard practice is to send out a generic warning letter, offer a year of free credit monitoring, and then go on about their business as if nothing happened.

But a new study shows that the costs of data breaches are getting too high for companies to ignore.

Authored by the Ponemon Institute security research firm, the study indicates that the average data breach costs a company over $4 million per incident, and that companies aren't spending nearly enough to redress the errors.

The Ponemon study looked at 31 separate data breaches between 2005 and 2006. The average data breach cost $4.7 million, averaged out to $182 per individual data record. The costs reflected contacting breach victims, setting up protections for them, and so on. This was an increase from Ponemon's previous finding of $132 per individual record.

Of the $4.7 million, $2.5 million was in "lost business," such as canceled contracts or partnerships. Companies only spent an average of $180,000 on prevention of data breaches.

The study was funded by security companies PGP Corporation and Vontu, Inc. PGP Corporation was partly founded by creators of the PGP (or "Pretty Good Privacy") encryption key, a leading solution for encrypting e-mail, and which has diversified into network and server protection as well.

San Francisco-based Vontu markets itself as the leading company for data security and breach prevention, though it only has a few major clients.

The company recently dove into the growing market for targeted e-mail protection, using software that monitors for specific types of potential breaches, such as information leaks, lack of disclaimers or notices, and so on.

Both companies stand to gain heavily from greater investment in security technology, and PGP's marketing vice-president Andrew Krcik wasn't shy about advertising his company as a solution for data protection.

"Once again, the Ponemon survey illuminates the high costs companies will incur for failing to protecting their customers' data," Krcik said in a statement.

His counterpart at Vontu, Steve Roop, went even further by saying that, "investing in technology solutions from PGP Corporation and Vontu, companies are able to quickly reduce their risk of data loss by as much as 90 percent."

The Ponemon Institute has performed many studies on data breaches, why they occur, and what can be done to prevent them. A September 2005 data survey of 10,000 individuals found that as many as 20 percent would terminate their relationship with any company or agency that exposed their personal data in a breach.

A September 2006 study found that the majority of internal data breaches at companies were caused by "insiders," disgruntled or careless employees, rather than outside hackers. The IT professionals surveyed in the study universally agreed that their bosses placed little priority on data security and protection.

The Privacy Rights Clearinghouse has tracked 330 separate incidents of data exposure, theft, or loss since February 2005, when ChoicePoint sold 145,000 individuals' records to Nigerian data thieves. The total number of affected individuals is over 93 million as of October 2006.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |