Study: Data breaches continue to get more costly for businesses

Computerworld - Companies that are reluctant to invest what it takes on data security better be prepared to pony up a lot more if their systems are ever breached.

That's the main take-away from a new report released by the Ponemon Institute LLC, which shows that the average cost of a data breach to companies is continuing to increase. Ponemon said the breaches from last year that it studied cost an average of about $202 for each compromised customer record. That is 46% higher than the $138 per record that Ponemon cited in its first annual report on breach costs, for 2005. The average cost had previously increased to $182 in 2006 and $197 in 2007, according to Ponemon.

The cost-per-record figures include direct expenses for breach detection, mitigation, notification and response efforts, as well as indirect costs, such as the financial impact of customer defections and lost business opportunities. Ponemon said the average overall cost of the breaches covered in the new report was more than $6.6 million, with individual companies reporting costs that ranged from $613,000 to almost $32 million.

The report was based on a study of breaches at 43 large companies from 17 different industries. The number of customer records that were compromised in the breaches ranged from less than 4,200 to more than 113,000. Those figures are much lower than those associated with the most-publicized breaches, which involve compromised records numbering in the millions, but they're in line with the number of compromised records involved in the types of breaches that companies are typically hit by.

Increasingly, the biggest cost to companies that suffer data breaches is lost business, said Larry Ponemon, chairman of the Elk Rapids, Mich.-based think tank. He added that about $139 of the average per-record breach cost — or 69% of the total — was in the form of lost business last year, while other costs declined. That statistic indicates that although companies are getting better at detecting and responding to data breaches, customers are becoming less tolerant of breaches and showing a growing willingness to take their business elsewhere, Ponemon said.

In the wake of breach reports, "we found customer churn rates actually going up," Ponemon said. "People do care deeply about data being stolen."

That concern was especially evident, he noted, in breaches involving financial services firms and health care organizations, because the data involved in such compromises is often more sensitive than the information at other types of companies.

For instance, the customer-defection trend doesn't appear to have manifested itself in a big way in the retail industry. As an example, the massive breach disclosed in January 2007 by The TJX Companies Inc. was expected to have a dramatic impact on customer trust in the company. But in the quarter immediately after the disclosure, TJX reported one of its strongest-ever financial performances. And in the first year after the breach came to light, the retailer's stock price remained largely unaffected, while its same-store sales increased 4%.